05-10-2017 07:46 AM
Is authentication timer inactivity server command used to download the below attribute ?
I tested this but wanted to confirm as well.
We have a scenario where non-dot1x endpoints connected behind IP Phones do not get their their sessions cleared when endpoints are disconnected. I am looking at the above option to clear the session after a certain time.
Solved! Go to Solution.
05-10-2017 11:21 AM
Correct. This is a valid option.
05-10-2017 11:21 AM
Correct. This is a valid option.
05-11-2017 07:14 AM
Utkarsh,
That option should work, but you should be investigating why the phones are doing EAP proxy logoff correctly. Most likely the phone has a setting to do proxy logoff, but is not currently configured to do it. I have run into this many times with Avaya phones and worked with the customer to get the option enabled on the phones.
05-11-2017 07:20 AM
Hi Paul,
EAP Proxy Logoff is working fine as expected for endpoints connected via dot1x behind the IP Phone.
The issue is with headless devices like printers if connected behind IP Phone or a machine authenticating via MAB.
In this case the session on switch is a MAB session.
I think the IP Phone will not send a Proxy EAPoL for a MAB session.
05-11-2017 07:44 AM
Ahh yes. I missed the non-8021x part. I am so used to running into this issue with EAP proxy logoff.
I haven’t tested phone settings to see if you can make it release a MAB session on the switch. I have used inactivity timers in the past. Make sure you have “authentication timer inactivity server” set on the switch interfaces to allow ISE to set this value.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
05-11-2017 08:36 AM
The preferred option is 2nd Port disconnect which will proactively notify switch when connected device disconnects: IP Telephony for 802.1X Design Guide - Cisco
Craig
05-11-2017 08:49 AM
Craig,
Its a non-Cisco IP Phone using LLDP.
Do you think LLDP might have any port-disconnect mechanism and Cisco switch would understand it ?
05-11-2017 09:11 AM
CDP Enhancement for 2nd Port Disconnect is a specific Cisco Phone feature.
05-11-2017 11:25 AM
EAP Proxy Logoff is specific to 802.1X and again, is a Cisco IP Phone feature. 2nd Port Disconnect works with any auth options from connected device to Cisco Phone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide