Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
0
Helpful
1
Replies

Cisco ACS RADIUS attributes with HP Switches behavior

B. BELHADJ
Level 4
Level 4

‎08-28-2016 03:12 AM - edited ‎03-11-2019 12:02 AM

Hello,

The last week I was with the HPE network team to configure HP switches (COMWARE) with our Cisco ACS used for RADIUS services.

We encountered a problem that opened a big discussion and debate, that I appreciated, with a great team of HPE network engineers

  1. In the production environment, we have already Cisco switches configured with our Cisco ACS 5.4 and working fine.
  2. The only configured RADIUS IETF attributes are:

 

Attribute

Type

Value

Tunnel-Type

Tagged Enum

[T:1]VLAN

Tunnel-Medium-Type

Tagged Enum

[T:1]802

Tunnel-Private-Grup-ID

Tagged String

[T:1]200

Session-Timeout

Unassigned Integer 32

0

Termination-Action

Enumeration

Default

 (cf. Screenshot)

With these configurations IP Phone and Printers are working fine with Cisco switches.

When we add the HP switch to this ACS, the IP Phone and Printers used for testing are successfully authenticated and immediately disconnected!!

But when we delete the “session-timeout” and “Termination-Action” attributes, the IP Phone and the Printer are authenticated and still connected to the network.

The RFC 3580 says that:

   When sent along in an Access-Accept without a Termination-Action

   attribute or with a Termination-Action attribute set to Default, the

   Session-Timeout attribute specifies the maximum number of seconds of

   service provided prior to session termination. 

   When sent in an Access-Accept along with a Termination-Action value

   of RADIUS-Request, the Session-Timeout attribute specifies the

   maximum number of seconds of service provided prior to re-

   authentication.  In this case, the Session-Timeout attribute is used

   to load the reAuthPeriod constant within the Reauthentication Timer

   state machine of 802.1X.  When sent with a Termination-Action value

   of RADIUS-Request, a Session-Timeout value of zero indicates the

   desire to perform another authentication (possibly of a different

   type) immediately after the first authentication has successfully

   completed. 

   When sent in an Access-Challenge, this attribute represents the

   maximum number of seconds that an IEEE 802.1X Authenticator should

   wait for an EAP-Response before retransmitting.  In this case, the

   Session-Timeout attribute is used to load the suppTimeout constant

   within the backend state machine of IEEE 802.1X.

 

My questions are: 

  1. Why Cisco switches are working fine with the “session-timeout=0” and “termination action=Default” attributes?
  2. Why we need to delete these parameters for devices (IP Phone and printer) to be working fine with the HP switches?

@admin

@Scott Morris - CCDE/4xCCIE/2xJNCIE

@Paul Stewart - CCIE Security

 

Please help us!

Thank you for your replies.

Best regards.

Labels:
Preview file
83 KB
0 Helpful
1 Reply 1

Rajat Gupta
Level 1
Level 1

‎09-12-2016 11:47 PM

Hello Abdollah,

Can you please share your Cisco switch configuration. 

Regards,

Rj

0 Helpful
Customers Also Viewed These Support Documents