Thanks, I already set set the

Anton Klementyev · ‎12-09-2014

ello, I am looking for solution or best practice how to deal with printers and MFUs in 802.1x environment.

I use MAB for them and put them in a separate vlan for security reasons, vlan number is provided from radius.

I also enabled the ip device tracking and inactivity timer to track connected printers and deauthentificate them in case the port will be up but the printer will be deattached (someone put a hub/small switch between a 802.1x port and a printer)

At this stage I cant understand the behavior of idle timeout because it is allways decreasing and then reauthentiication begins, even if I constantly ping the printer. Does it have to trigger only if there is no traffic from the device?

sw3560-test#sh authentication sessions int fa0/1
Interface: FastEthernet0/1
MAC Address: f4ce.4648.6626
IP Address: 192.168.251.2
User-Name: f4ce46486626
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 25
Session timeout: N/A
Idle timeout: 60s (local), Remaining: 26s
Common Session ID: C0A8A5920000001100564C94
Acct Session ID: 0x00000015
Handle: 0x46000011

Runnable methods list:
Method State
dot1x Failed over
mab Authc Success

the port config:

interface FastEthernet0/1
description MFU test
switchport mode access
switchport voice vlan 7
ip device tracking maximum 10
authentication event fail action authorize vlan 4094
authentication event server dead action authorize vlan 4094
authentication event no-response action authorize vlan 4094
authentication host-mode multi-domain
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 60
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 5
spanning-tree portfast
spanning-tree bpduguard enable
end

hdussa · ‎12-10-2014

Hi,

for printers i don´t use inactivity timer and no reauthentication.

Inactivity timers are good in an enviromet were a PC ist connected on IP-Phone port and authenticated via MAB.

Hope it helps!

Anton Klementyev · ‎12-10-2014

I think it will be more secure to enable use them. I case if someone will put a switch between the printer and the port.

Anyway I would like to know hos the inactivity timer works and why it is always decreasing.

hdussa · ‎12-10-2014

You can set the idle-timer for your VLAN via RADIUS under: (see attachment)

Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles
On the Switch you need to configure: authentication timer inactivity server.

But it makes no sence in a Printer-Vlan. If there is no trafiic in within your configured time, the session will be cleared. Then you need to restart the printer to start the authentication process.

You´ll need good shoes.

Anton Klementyev · ‎12-10-2014

Thanks, I already set set the timer via the Network Policy Server, I dont understand only why it is decreasing even if I have the traffic.

I use ip device tracking feature to keep devices connected.

nspasov · ‎12-10-2014

Hi Anton. Have you checked if printing a page resets the inactivity timer? Perhaps a ping packet is not sufficient enough to reset the timer.

Anton Klementyev · ‎12-11-2014

no, I did ping -t to the printer address, same thing.

nspasov · ‎12-10-2014

Here is also a link to the MAB deployment guide that has some more info about the inactivity and other related timers.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

Anton Klementyev · ‎12-11-2014

thnx, I saw this document, there is not much about inactivity timer.

Anton Klementyev · ‎12-14-2014

Sorry, does anyone know the answer?

nspasov · ‎12-15-2014

Hi Anton. I haven't had the chance to test this but my gut feeling is telling me that "ping/icmp" alone does not count as "printer traffic" on the wire, thus, not resetting the counter. I would recommend that:

1. You do some different tests and see if the counter is reset...such as:

- Print a page

- Use a TCP based ping

2. You can also contact Cisco TAC and obtain more information about the inactivity counter. For instance, what type of traffic actually resets the counter

3. It is also possible that the "dumb" hub/switch that sits between the dot1x port and the printer is not passing the relative information, thus preventing the inactivity timer from resetting.

Thank you for rating helpful posts!

Tom Vanhout · ‎05-31-2018

I see this is a question from a long time ago, but it still seems relevant today as I was debugging a similar situation.
If i do a "sh authentication sessions interface X"
I would see the "Remaining" counter on "Idle timeout" decrease even if there is traffic.

It seems it does count correctly internal though, because when the timer hits zero it starts again with the actually remaining inactive time left. (also seen in the debug)

So f.e. if i have defined on the interface

authentication timer inactivity 120

and suppose you have traffic the first 90seconds.

Then you would see the timer go down from 120 until it reaches 0 (you won't see it reset during the 90 seconds of traffic as you would expect) and then it restart with remaining counter 90 (as you have been 30 seconds inactive by now, and it's deducted from the 120 you would normally start with)

I don't know if I explain it well enough, but basically, you only see the real inactive time remaining at the times the timer reaches 0 and is then reset to the real inactive time remaining.

802.1x printers idle timeout