Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3189
Views
20
Helpful
9
Replies

cisco authentication timer restart

Go to solution
Thomas Kohb
Level 1
Level 1

‎06-13-2022 12:00 AM - edited ‎06-13-2022 12:42 AM

Hello, we have a problem with a fiber converter. If the device is changed behind the converter, the link on the switch port remains at the top. This results in a security breach. The port goes into error disable status because it sees a new MAC for the same AuthSessionID. Behavior per desgin. Can you restart 1 with the Commando authentication timer ... create a new SessionID? the command authentication timer reauthenticate server .... would be with the same AuthID at the ISE Server or get an new o802.1x, AAA, Identity Services Engine (ISE)nce?dot1x, ISE , Port Sec

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to Thomas Kohb

‎06-16-2022 02:32 PM

@Thomas Kohb  - that's an unfortunate situation, that the media converter presents its own MAC address. Is there no transparent mode (passthrough mode) so that the media converter operates at Layer 1 only?

Anyway - as MHM correctly pointed out, if your switch port must support more than one MAC address, then you will be forced to use a host mode like multi-auth, or multi-host - either of these will allow more than one MAC address - they differ slightly:

multi-host - only the first MAC is subject to AAA authentication, and then the port allows the others to piggy back

multi-auth - allows one voice MAC, and multiple DATA domain MACs - each DATA domain MAC must be AAA authenticated

 

single-host and multi-domain only support one MAC address in the DATA domain.

 

View solution in original post

Go to solution
Marcelo Morais
VIP
VIP

‎06-17-2022 08:39 AM

Hi @Thomas Kohb ,

 beyond what @MHM Cisco World and @Arne Bier said ...

 When you asked about:

1st " ... Can you restart 1 with the command authentication timer ... create a new SessionID? ... ", no, the authentication timer restart attempts to authenticate an Unauthorized Port (no SessionID at this point).

2nd " ... the command authentication timer reauthenticate server .... would be with the same AuthID at the ISE Server or get an new ... ", the authentication timer reauthenticate server uses the same Session ID (it reauthenticate an Authorized Port). 

 

Hope this helps !!!

View solution in original post

0 Helpful
9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎06-13-2022 04:16 AM - edited ‎06-13-2022 04:17 AM

Try multi-auth is port connect to multi host (or host is change in port),
this make SW detect new host and auth it with AAA.

please try in one port if success apply it to all other port.

Go to solution
Thomas Kohb
Level 1
Level 1
In response to MHM Cisco World

‎06-13-2022 10:44 PM

hey,

 

yes ... i will try it today ... 

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7

‎06-13-2022 02:28 PM

Do your fiber converters support Link Fault Pass Through (LFP)? This function can shutdown the converter fiber link if the copper link goes down (I'm assuming the converter fiber link connects to your switch).

hth
Andy

0 Helpful

Go to solution
Thomas Kohb
Level 1
Level 1
In response to andrewswanson

‎06-13-2022 10:45 PM

Hey,

 

yes the converter support LFP ...but with this setting ... the first sean mac is the mac of the Converter -.- auth fail ^^

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Thomas Kohb

‎06-16-2022 02:32 PM

@Thomas Kohb  - that's an unfortunate situation, that the media converter presents its own MAC address. Is there no transparent mode (passthrough mode) so that the media converter operates at Layer 1 only?

Anyway - as MHM correctly pointed out, if your switch port must support more than one MAC address, then you will be forced to use a host mode like multi-auth, or multi-host - either of these will allow more than one MAC address - they differ slightly:

multi-host - only the first MAC is subject to AAA authentication, and then the port allows the others to piggy back

multi-auth - allows one voice MAC, and multiple DATA domain MACs - each DATA domain MAC must be AAA authenticated

 

single-host and multi-domain only support one MAC address in the DATA domain.

 

Go to solution
Marcelo Morais
VIP
VIP

‎06-17-2022 08:39 AM

Hi @Thomas Kohb ,

 beyond what @MHM Cisco World and @Arne Bier said ...

 When you asked about:

1st " ... Can you restart 1 with the command authentication timer ... create a new SessionID? ... ", no, the authentication timer restart attempts to authenticate an Unauthorized Port (no SessionID at this point).

2nd " ... the command authentication timer reauthenticate server .... would be with the same AuthID at the ISE Server or get an new ... ", the authentication timer reauthenticate server uses the same Session ID (it reauthenticate an Authorized Port). 

 

Hope this helps !!!

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Marcelo Morais

‎06-19-2022 01:46 PM

@Marcelo Morais - can you please explain more about the difference between AuthID and SessionID?  What is the reason/purpose of either one of these and what is the relationship etc.

 

I think the explanation of these two might be very useful. Then there is also the Accounting ID - or is that just an alias for one of the above?

Go to solution
Thomas Kohb
Level 1
Level 1
In response to Arne Bier

‎06-19-2022 11:51 PM

Hey,

 

we replaced the Fibre Converter .. all fine...thx for time  

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to Arne Bier

‎06-20-2022 09:21 AM

Hi @Arne Bier ,

 we have the:

. Accounting Session ID (Acct Session ID)

RADIUS Attribute 44 is a unique Accounting Identifier that makes it easy to match Start and Stop records in a log file. The Start and Stop records for a given session MUST have the same Acct-Session-ID. RADIUS Attribute 44 is automatically enabled when AAA Accounting is configured. Acct Session ID was sent ONLY as part of the Accounting Request and an Accounting Request packet MUST have an Acct Session ID. Acct Session ID numbers restart at 1 each time the Router is power-cycled or the software is reloaded. The Acct Session ID can take on values from 00000000 to FFFFFFFF. Acct Session ID is an attribute supported for the RADIUS CoA feature (CoA Requests).
Ex.: (debug)

...
00:03:13: RADIUS: Acct-Session-Id [44] 10 "00000002"
...

. Audit Session ID (referred to as a Common Session ID)

Audit Session ID is a Cisco VSA (Vendor-Specific Attribute). Authentication Manager uses a Single Session ID (referred to as a Common Session ID or Audit Session ID) for a Client no matter which authentication method is used. This ID is used for ALL reporting purposes, such as the show commands and MIBs. The Common Session ID includes <NAS IP Addr><Session Count><Session Start Time Stamp>, for ex.: AC14FE01 00000FB5 2A8CF418.
Audit Session ID is an attribute supported for the RADIUS CoA feature (CoA Requests).

Ex.:

...
 cisco-av-pair=audit-session-id=0A3E946C00000073559C0123
...

or

# show authentication sessions
Interface MAC Address    Method Domain Status        Session ID
Fa4/0/4   0000.0000.0001 mab    DATA   Authz Success 160000050000000B288508E5

 

Example for both:

#show authentication sessions interface FastEthernet0/10
...
Common Session ID: 0A70081A0000012D2A8CD1BF
Acct Session ID: 0x00000671
...

 

Regards

Customers Also Viewed These Support Documents