Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1807
Views
0
Helpful
2
Replies

Expiry of unauthorised NAC/dot1x sessions

luke_r_godwin
Level 1
Level 1

‎07-20-2020 09:40 PM - edited ‎07-20-2020 09:46 PM

I have ISE 2.4.0.357 serving RADIUS to some Cat4k 4510R-E ( running 03.06.05E ) switches for wired NAC using dot1x with EAP-TLS. The back end identity store is MS AD, with MS CA server issued certificates, distributed via GPO. That all works nicely enough for 'machine' login to wired ports. There are avaya deskphones in the mix here, they are configured to send Proxy EAP-LogOff messages.

While working on resolving some intermittent faults, I have noticed that, despite the use of the proxy log off messages, the network switches seem to retain dead/ghost sessions for far too long. Below is an example of just that:

 

Interface: GigabitEthernet1/6
MAC Address: REDACTED
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: REDACTED
Status: Unauthorized
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Restart timeout: 60s (local), Remaining: 17s
Session Uptime: 73s
Common Session ID: REDACTED
Acct Session ID: REDACTED
Handle: REDACTED
Current Policy: POLICY_Gi1/6

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure

Method status list:
Method State

dot1x Stopped
mab Stopped

 

the MAC address in question is not active on that port, yet the switch persists in trying to send EAP Identity Requests. The actual endpoint is not connected and I suspect no EAP LogOff message was not sent. What is the time out/expiration of such dead sessions? Can this be tweaked? This session in particular has been failing over and over again for the past ~6 hours. The end point was moved more than a day ago. yet the switch still thinks that MAC is there, despite not having seen any frames from that MAC address.

 

To be clear, this is for Unauthorized status sessions, meaning sending some RADIUS attribute makes no sense (to me) since the login fails as the MAC address in question is not in any MAB list.

0 Helpful
2 Replies 2

Colby LeMaire
VIP Alumni
VIP Alumni

‎07-21-2020 06:59 AM

Does the mac address show up in the mac address table?  What is your mac address table aging time?  Do a "show mac-address-table aging-time" to see the aging time.  Then you can do a "show mac-address-table | inc xxxx" to see how old the entry is for this particular mac address.

0 Helpful

luke_r_godwin
Level 1
Level 1
In response to Colby LeMaire

‎07-21-2020 04:54 PM

The MAC addresses in question do not show up in the output of "show mac address-table". The output of "show mac address-table aging-time" shows 300 for all ( I think this is the default?).

0 Helpful
Customers Also Viewed These Support Documents