Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
30
Helpful
7
Replies

Devices re-authenticating when off network, causing rejections

dlock
Level 1
Level 1

‎03-15-2019 05:38 AM

We have a client with an ISE deployment in place to authenticate with dot1x on client computers. When the device is offline for an extended period of time, the dot1x reauth timer keeps attempting to reauth the session. Since there's nothing on the other end, it constantly fails which then rejects the device eventually, and when the devices are attached to the network the following day, they are unable to connect.... and it seems like releasing the rejected doesn't reauthenticate the device. 

 

Below is the config on the ports. Not sure what would be needed to help troubleshoot from ISE.

 

interface GigabitEthernetx/y/z
switchport access vlan XY
switchport voice vlan XYZ
switchport mode access
authentication event fail action next-method
authentication event server dead action reinitialize vlan 30
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 7
spanning-tree portfast
ip device tracking maximum 0
srr-queue bandwidth share 1 30 35 5
priority-queue out

0 Helpful
7 Replies 7

paul
Level 10
Level 10

‎03-15-2019 06:11 AM

Most likely the devices are behind non-Cisco phones that are not correctly configured for or don't support EAP proxy logoff.  You can configure an inactivity timer to deal with that situation.  Set it to something like 5 minutes.

dlock
Level 1
Level 1
In response to paul

‎03-15-2019 06:15 AM

That would be correct. The phones are a cheaper Mitel device. I'd have to check with the vendor to see if EAP proxy logoff is supported.

Where would I configure the inactivity timer for that?
0 Helpful

paul
Level 10
Level 10
In response to dlock

‎03-15-2019 06:30 AM

You should have these 3 lines:

 

authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server

 

This allows ISE to set reauthentication and inactivity values.  Under your authorization profile you specify the desired reauthentication timer (one of the common options) and you specify the inactivity timer as an advanced option.  It is in the RADIUS dictionary.

bern81
Level 1
Level 1
In response to paul

‎03-15-2019 07:29 AM

Hi ,

 

Like Paul mentioned.

I just wanted to add for authentication timer reauthenticate on the ISE it is called:

raduis-session-timeout    (radius attribute 27)

Inactivity timer   is called : idle-timeout (radius attribute 28)

 

Please rate if helpful

 

 

paul
Level 10
Level 10
In response to bern81

‎03-15-2019 07:35 AM

You don't need to use an advanced attribute for reauthentication.  There is a built in common task called Reauthentication that maps to the RADIUS session timeout value.

dlock
Level 1
Level 1
In response to paul

‎03-15-2019 08:49 AM

OK. I think I've understood. Create a new Authorization Profile with Reauthentication checked underneath common tasks. Then tag it with a Idle-Timeout. Is the value field here also in seconds?

0 Helpful

paul
Level 10
Level 10
In response to dlock

‎03-15-2019 12:29 PM

Yes also in seconds.  I usually set it 300.

Customers Also Viewed These Support Documents