cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5934
Views
0
Helpful
11
Replies

802.1x printers idle timeout

ello, I am looking for solution or best practice how to deal with printers and MFUs in 802.1x environment.

I use MAB for them and put them in a separate vlan for security reasons, vlan number is provided from radius.

I also enabled the ip device tracking and inactivity timer to track connected printers and deauthentificate them in case the port will be up but the printer will be deattached (someone put a hub/small switch between a 802.1x port and a printer) 

At this stage I cant understand the behavior of idle timeout because it is allways decreasing and then reauthentiication begins, even if I constantly ping the printer. Does it have to trigger only if there is no traffic from the device?

sw3560-test#sh authentication sessions int fa0/1
            Interface:  FastEthernet0/1
          MAC Address:  f4ce.4648.6626
           IP Address:  192.168.251.2
            User-Name:  f4ce46486626
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  25
      Session timeout:  N/A
         Idle timeout:  60s (local), Remaining: 26s
    Common Session ID:  C0A8A5920000001100564C94
      Acct Session ID:  0x00000015
               Handle:  0x46000011

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

the port config:

interface FastEthernet0/1
 description MFU test
 switchport mode access
 switchport voice vlan 7
 ip device tracking maximum 10
 authentication event fail action authorize vlan 4094
 authentication event server dead action authorize vlan 4094
 authentication event no-response action authorize vlan 4094
 authentication host-mode multi-domain
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity 60
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x max-reauth-req 5
 spanning-tree portfast
 spanning-tree bpduguard enable
end

11 Replies 11

hdussa
Level 1
Level 1

Hi,

for printers i don´t use inactivity timer and no reauthentication.

Inactivity timers are good in an enviromet were a PC ist connected on IP-Phone port and authenticated via MAB.

 

Hope it helps!

 

I think it will be more secure to enable use them. I case if someone will put a switch between the printer and the port.

 

Anyway I would like to know hos the inactivity timer works and why it is always decreasing.

You can set the idle-timer for your VLAN via RADIUS under: (see attachment)

Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles
On the Switch you need to configure: authentication timer inactivity server.

But it makes no sence in a Printer-Vlan. If there is no trafiic in within your configured time, the session will be cleared. Then you need to restart the printer to start the authentication process.

You´ll need good shoes.

Thanks, I already set set the timer via the Network Policy Server, I dont understand only why it is decreasing even if I have the traffic.

I use ip device tracking feature to keep devices connected.

Hi Anton. Have you checked if printing a page resets the inactivity timer? Perhaps a ping packet is not sufficient enough to reset the timer. 

no, I did ping -t to the printer address, same thing.

nspasov
Cisco Employee
Cisco Employee

Here is also a link to the MAB deployment guide that has some more info about the inactivity and other related timers. 

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

thnx, I saw this document, there is not much about inactivity timer.

Sorry, does anyone know the answer?

Hi Anton. I haven't had the chance to test this but my gut feeling is telling me that "ping/icmp" alone does not count as "printer traffic" on the wire, thus, not resetting the counter. I would recommend that:

1. You do some different tests and see if the counter is reset...such as:

- Print a page

- Use a TCP based ping

2. You can also contact Cisco TAC and obtain more information about the inactivity counter. For instance, what type of traffic actually resets the counter

3. It is also possible that the "dumb" hub/switch that sits between the dot1x port and the printer is not passing the relative information, thus preventing the inactivity timer from resetting. 

 

Thank you for rating helpful posts!

I see this is a question from a long time ago, but it still seems relevant today as I was debugging a similar situation.
If i do a "sh authentication sessions interface X"
I would see the "Remaining" counter on "Idle timeout" decrease even if there is traffic.

It seems it does count correctly internal though, because when the timer hits zero it starts again with the actually remaining inactive time left. (also seen in the debug)

So f.e. if i have defined on the interface

authentication timer inactivity 120

and suppose you have traffic the first 90seconds.

Then you would see the timer go down from 120 until it reaches 0 (you won't see it reset during the 90 seconds of traffic as you would expect) and then it restart with remaining counter 90 (as you have been 30 seconds inactive by now, and it's deducted from the 120 you would normally start with)

 

I don't know if I explain it well enough, but basically, you only see the real inactive time remaining at the times the timer reaches 0 and is then reset to the real inactive time remaining.