Solved: Re: dot1x and reauth

MAGNUS SVENSSON · ‎09-03-2018

We are running dot1x and ISE, we only do machine authentication. We have configured reauth every 600 seconds. If we have a skype call going on and the switch is requesting the client to reauth the session "Session timeout: 600s (server), Remaining: 0s" the sound in the call is interrupted for aprox 5 seconds.

Any one suffer from the same problem ? And how did you solved it ?

/Magnus

Arne Bier · ‎09-03-2018

yes that timeout is a bit extreme. However, it doesn't change the fact that when a session time DOES occur, that your clients will be happy with a 5 second interruption.

There are 802.1X protocol enhancements that can be enabled to allow the EAP process to be sped up. In a non-optimised case, there are around a dozen EAP messages sent from the supplicant to ISE - if there is a lot of latency then this all adds up.

You don't mention which EAP method you're using, but in the case of EAP-PEAP you can enable two things - one at a time ...

Finally, on the wireless level, there are things that could be done to prevent the need to even speak to the radius server. E.g. 802.1r (Fast Transition/Fast Roaming), etc. That's a whole other discussion and it's dependent on the client support. The idea is that the WLC takes care of the keying material without needing a Radius server to keep generating it. You do it for a certain time period, and then involve the radius server again. But it reduces load on radius server, network and also better experience for clients.

View solution in original post

hslai · ‎09-03-2018

A re-auth frequency of 600 seconds (or 10 minutes) is much too often. The best practice is to increase it to 2+ hours (or 7200+ seconds). See the slide 264 in Session Reference from Designing ISE for Scale & High Availability - BRKSEC-3699.

In your case, you might want to adjust it to at least 8 hours.

Arne Bier · ‎09-03-2018

yes that timeout is a bit extreme. However, it doesn't change the fact that when a session time DOES occur, that your clients will be happy with a 5 second interruption.

There are 802.1X protocol enhancements that can be enabled to allow the EAP process to be sped up. In a non-optimised case, there are around a dozen EAP messages sent from the supplicant to ISE - if there is a lot of latency then this all adds up.

You don't mention which EAP method you're using, but in the case of EAP-PEAP you can enable two things - one at a time ...

Finally, on the wireless level, there are things that could be done to prevent the need to even speak to the radius server. E.g. 802.1r (Fast Transition/Fast Roaming), etc. That's a whole other discussion and it's dependent on the client support. The idea is that the WLC takes care of the keying material without needing a Radius server to keep generating it. You do it for a certain time period, and then involve the radius server again. But it reduces load on radius server, network and also better experience for clients.

MAGNUS SVENSSON · ‎09-03-2018

Hi.

We have this quit aggressive reauth time because we will not allow unauthorized clients accessing our network, (not for a long time anyway (600 seconds is enough).

I think you (Arne) might point me to the right direction. We use EAP-TLS, there is a tickbox "Enable Stateless Session Resume" and "Session ticket time to live". If I would like to stay with 600 seconds with reauth what value would you put in the above parameters.

When the reauth occurs the skype call is interrupted for like 3-5 seconds, we had a ping going at the same time and the response time went from 2ms to 6ms.

/Magnus

howon · ‎09-05-2018

How is the interface config for dot1x and mab ordering set for? If you are doing mab first then this is expected behavior. You can change the behavior using Cisco VSA sent during authentication. See: https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--1759816418

MAGNUS SVENSSON · ‎09-06-2018

Hi. Here is the portconfiguration.

interface GigabitEthernet2/0/32
switchport mode access
switchport nonegotiate
switchport block multicast
switchport block unicast
ipv6 nd raguard
ipv6 snooping attach-policy snooping-policy
ipv6 dhcp guard
authentication event fail action next-method
authentication event server dead action authorize vlan 999
authentication event no-response action authorize vlan 999
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x max-reauth-req 1
storm-control broadcast level 60.00 40.00
storm-control action shutdown
spanning-tree portfast
spanning-tree bpduguard enable
ip dhcp snooping limit rate 30
end

howon · ‎09-06-2018

Make sure the ISE is sending both session-timeout value (600) and the terminate-action value (1).

MAGNUS SVENSSON · ‎09-07-2018

Hi here are some of the radius attribites that we send. I think Terminate-Action = Radius-Request is the value of 1.

Access Type = ACCESS_ACCEPT
Session-Timeout = 600
Termination-Action = RADIUS-Request

/Magnus

howon · ‎09-07-2018

Can you post the conditions used in the policy rule? Also, the detailed report should provide where the delays are from the ISE side. If no delays seen in the detailed report, then you will have to look into the switch debug logs to find out the root cause of delay.

Arne Bier · ‎09-05-2018

Hey @MAGNUS SVENSSON, I have been meaning to test that in my own lab for some time but just haven't got around to it. Are you able to have a go and let us know how it worked out for you?

In the past I did some tests with PEAP optimisations in ISE and analysed the PSN tcpdumps in wireshark - you can see that the number of radius/EAP messages reduces quite a bit. But I have not tried any of the wireless optimisations - you could start with a modern iPhone and enable all the fancy optimisations, and then work your way backwards until you find a config that supports all the devices in your network. Enabling all the nerd knobs in production is probably a recipe for disaster ;-)

MAGNUS SVENSSON · ‎09-06-2018

I have a case logged with Cisco.

I will post any result from that.

/Magnus

MAGNUS SVENSSON · ‎09-20-2018

The Cisco case is not providing any solution to the problem. Is any one of you able to do the same test. Phone a college (using skype), set the reauth timer (localy on the switchport to like one minute) , authentication timer reauthenticate 60 and report back the result to this community.
Best regards
Magnus