Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
1
Helpful
13
Replies

IBNS 2.0 Template Settings

Go to solution
BlackDiamond71
Level 1
Level 1

‎05-02-2025 01:38 PM

I noticed a couple things in the IBNS 2.0 Template that gave me a little pause. Any help would be much appreciated.

1) I noticed in Cisco 9300 Version 17.12.04 this command does not work. Is there any recommended commands to use in place of this one? I'm trying to be careful because I'm sure I can find something similar online, I just want to make sure I'm replacing it with the proper command.

! The inactivity timer command below is IOS version dependent
authentication timer inactivity server dynamic

2) I noticed it says to only select one of these commands, is there any recommendations which command to select?

! Only use ONE subscriber aging setting
subscriber aging inactivity-timer 60 probe
subscriber aging probe
service-policy type control subscriber Dot1x-Default

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to BlackDiamond71

‎05-05-2025 08:43 AM

@BlackDiamond71 ,

when you use the:

(config-if)# authentication timer inactivity server

If a timeout value is NOT configured, an 802.1X Session stays Authorized indefinitely. No other Host can use the Port, and the connected Host cannot move to another Port on the same SW.

server: specifies that the period of inactivity is defined by the Idle-Timeout value (RADIUS Attribute 28) on ISE.

seconds: specifies the period of inactivity in seconds allowed before an Auth Manager Session is terminated and the Port is unauthorized.

 

Note: in order to prevent reauthentication of inactive sessions, use the authentication timer inactivity command to an interval shorter than the authentication timer reauthenticate command.

 

Hope this helps !!!

 

View solution in original post

0 Helpful
13 Replies 13

Go to solution
BlackDiamond71
Level 1
Level 1
In response to Marcelo Morais

‎05-05-2025 06:22 AM

I'm a little confused, the two articles you provided don't directly answer my questions. If they do, can you clarify how they do?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to BlackDiamond71

‎05-05-2025 06:59 AM

Hi @BlackDiamond71 

 sure.

 When you said: " 2) ... is there any recommendation which command to select ? ... ", please pay special attention to:

CSCvw32914 related to the command " ... subscriber aging inactivity-timer 60 probe ... "

CSCwa30710 related to the command " ... subscriber aging probe ... "

 

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1

‎05-05-2025 07:05 AM

So for the template, do you recommend using "subscriber aging inactivity-timer 60" and not the other two commands? Also, any idea what I would use for "authentication timer inactivity server dynamic" if it isn't working in 17.12.04?

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to BlackDiamond71

‎05-05-2025 08:00 AM

@BlackDiamond71 ,

  I do not have a C9300 to test, and tried to check the info at: Command Reference, Cisco IOS XE Dublin 17.12.x - Security without success.

 In other platforms the command is:

(config-if)# authentication timer inactivity {seconds | server}

please take a look at: Cisco IOS Security Command Reference: Commands A to C.

 

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1

‎05-05-2025 08:26 AM

Yeah, Didn't see anything in there. Unfortunately this is causing funky behaviors without it reauthenticating. For example, I have a phone plugged into a laptop and everything authenticates. I unplug the laptop and plug in a different laptop while the phone is still plugged in. The phone is still authenticated and nothing shows up under live logs. Under endpoints, it still shows the previous laptop is plugged in and online but the new laptop can't connect because it hasn't authenticated.

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to BlackDiamond71

‎05-05-2025 08:30 AM

Hi

If you were previously using "authentication timer inactivity server dynamic", this suggests that you are already sending RADIUS attribute 28 Idle-Timeout from your RADIUS server when authorising clients.

Maybe a better method would be to use an "event" in your ibns 2.0 policy-map to clear inactive sessions:

...
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
...

hth
Andy

Go to solution
Marcelo Morais
VIP
VIP
In response to andrewswanson

‎05-05-2025 08:46 AM

@BlackDiamond71 ,

 the Event method described by @andrewswanson is a good strategy too.

Please take a look at: ISE Deployment Improvements Tips and Tricks, search for IBNS 2.0: Assign Critical ACL if AAA down.

 

Hope this helps !!!

 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to BlackDiamond71

‎05-05-2025 08:43 AM

@BlackDiamond71 ,

when you use the:

(config-if)# authentication timer inactivity server

If a timeout value is NOT configured, an 802.1X Session stays Authorized indefinitely. No other Host can use the Port, and the connected Host cannot move to another Port on the same SW.

server: specifies that the period of inactivity is defined by the Idle-Timeout value (RADIUS Attribute 28) on ISE.

seconds: specifies the period of inactivity in seconds allowed before an Auth Manager Session is terminated and the Port is unauthorized.

 

Note: in order to prevent reauthentication of inactive sessions, use the authentication timer inactivity command to an interval shorter than the authentication timer reauthenticate command.

 

Hope this helps !!!

 

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1

‎05-05-2025 08:51 AM

Under the authorization profile > Advanced Settings > I set Idle-Timeout=60. This seems to work. Is 60 a good value? And doing it this way is there any issues that could arise? 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to BlackDiamond71

‎05-05-2025 09:02 AM

@BlackDiamond71 ,

 you said: " ... I unplug the laptop and plug in a different laptop while the phone is still plugged in ... ".

Have in mind the following:

1st What is the minimum time to solve your need (60 sec, 300 sec, ...) ?

2nd Do you need this configuration on "all Ports" or on "specific Ports" ? 

 

0 Helpful

Go to solution
BlackDiamond71
Level 1
Level 1
In response to Marcelo Morais

‎05-05-2025 09:07 AM

Most of the ports on the switch would need this. Essentially I am thinking from the end user perspective. This will happen rarely, but if they bring there laptop and connect it to another desk where a laptop was previously just working I would like it to connect and work relatively quickly. 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to BlackDiamond71

‎05-05-2025 09:27 AM

@BlackDiamond71 ,

 got it !!!

 Use the Operations > Reports > Reports > Endpoints and Users > Authentication Summary and compare Authentication by Day and Quick Link in terms of Before vs After to check if 60 sec for you Deployment is OK or not.

 

Hope this helps !!!

 

0 Helpful
Customers Also Viewed These Support Documents