07-20-2020 09:40 PM - edited 07-20-2020 09:46 PM
I have ISE 2.4.0.357 serving RADIUS to some Cat4k 4510R-E ( running 03.06.05E ) switches for wired NAC using dot1x with EAP-TLS. The back end identity store is MS AD, with MS CA server issued certificates, distributed via GPO. That all works nicely enough for 'machine' login to wired ports. There are avaya deskphones in the mix here, they are configured to send Proxy EAP-LogOff messages.
While working on resolving some intermittent faults, I have noticed that, despite the use of the proxy log off messages, the network switches seem to retain dead/ghost sessions for far too long. Below is an example of just that:
Interface: GigabitEthernet1/6
MAC Address: REDACTED
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: REDACTED
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: 60s (local), Remaining: 17s
Session Uptime: 73s
Common Session ID: REDACTED
Acct Session ID: REDACTED
Handle: REDACTED
Current Policy: POLICY_Gi1/6
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Method status list:
Method State
dot1x Stopped
mab Stopped
the MAC address in question is not active on that port, yet the switch persists in trying to send EAP Identity Requests. The actual endpoint is not connected and I suspect no EAP LogOff message was not sent. What is the time out/expiration of such dead sessions? Can this be tweaked? This session in particular has been failing over and over again for the past ~6 hours. The end point was moved more than a day ago. yet the switch still thinks that MAC is there, despite not having seen any frames from that MAC address.
To be clear, this is for Unauthorized status sessions, meaning sending some RADIUS attribute makes no sense (to me) since the login fails as the MAC address in question is not in any MAB list.
07-21-2020 06:59 AM
Does the mac address show up in the mac address table? What is your mac address table aging time? Do a "show mac-address-table aging-time" to see the aging time. Then you can do a "show mac-address-table | inc xxxx" to see how old the entry is for this particular mac address.
07-21-2020 04:54 PM
The MAC addresses in question do not show up in the output of "show mac address-table". The output of "show mac address-table aging-time" shows 300 for all ( I think this is the default?).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide