08-28-2016 03:12 AM - edited 03-11-2019 12:02 AM
Hello,
The last week I was with the HPE network team to configure HP switches (COMWARE) with our Cisco ACS used for RADIUS services.
We encountered a problem that opened a big discussion and debate, that I appreciated, with a great team of HPE network engineers
Attribute |
Type |
Value |
Tunnel-Type |
Tagged Enum |
[T:1]VLAN |
Tunnel-Medium-Type |
Tagged Enum |
[T:1]802 |
Tunnel-Private-Grup-ID |
Tagged String |
[T:1]200 |
Session-Timeout |
Unassigned Integer 32 |
0 |
Termination-Action |
Enumeration |
Default |
(cf. Screenshot)
With these configurations IP Phone and Printers are working fine with Cisco switches.
When we add the HP switch to this ACS, the IP Phone and Printers used for testing are successfully authenticated and immediately disconnected!!
But when we delete the “session-timeout” and “Termination-Action” attributes, the IP Phone and the Printer are authenticated and still connected to the network.
The RFC 3580 says that:
When sent along in an Access-Accept without a Termination-Action
attribute or with a Termination-Action attribute set to Default, the
Session-Timeout attribute specifies the maximum number of seconds of
service provided prior to session termination.
When sent in an Access-Accept along with a Termination-Action value
of RADIUS-Request, the Session-Timeout attribute specifies the
maximum number of seconds of service provided prior to re-
authentication. In this case, the Session-Timeout attribute is used
to load the reAuthPeriod constant within the Reauthentication Timer
state machine of 802.1X. When sent with a Termination-Action value
of RADIUS-Request, a Session-Timeout value of zero indicates the
desire to perform another authentication (possibly of a different
type) immediately after the first authentication has successfully
completed.
When sent in an Access-Challenge, this attribute represents the
maximum number of seconds that an IEEE 802.1X Authenticator should
wait for an EAP-Response before retransmitting. In this case, the
Session-Timeout attribute is used to load the suppTimeout constant
within the backend state machine of IEEE 802.1X.
My questions are:
@Scott Morris - CCDE/4xCCIE/2xJNCIE
Please help us!
Thank you for your replies.
Best regards.
09-12-2016 11:47 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide