06-24-2014 12:17 AM - edited 03-10-2019 09:49 PM
Hi,
We are deploying 802.1X in our network and have encountered problem with a type of payment terminal.
The problem is that the terminal do not 'speak' to the network after the first initial DHCP request, the terminal waits for incoming packets from a counter to start the payment process. After the idle-time the MAC is flushed from the switch and the port is not authorized any more.
To solve this we set 'authentication control-direction in' on the port and use 'ip device tracking' to keep the client on the network, ip device tracking sends an arp request every 30 seconds to clients.
Our ISE is sending Radius:Idle-Timeout = 300 and the timer start to count down when the client is authenticated.
In Wireshark, I can see that the ARP request is going out and the ARP reply coming back in but this does not update the inactivity timer for the client. So after 5 minutes the port is gone, and there is no way to get the port up again from the network. Traffic from the client brings up the network.
This looks like a bug to me, anyone seen this, or a similar behaviour?
Running:
ISE 1.2p6
IOS 12.2(55)SE6
From Trustsec 1.99 Wired 802.1X Deployment Guide:
Tip Enable IP Device Tracking with inactivity timers to keep quiet endpoints connected. When IP Device Tracking is enabled, the switch periodically sends ARP probes to endpoints in the IP Device Tracking table (which is initially populated by DHCP requests or ARP from the end point). As long as the endpoint is connected and responds to these probes, the inactivity timer is not triggered and the endpoint is not inadvertently removed from the network.
From CLI output
SW03#sh auth sessions int fa0/4
Interface: FastEthernet0/4
MAC Address: xxxx.xxxx.5289
IP Address: 10.10.10.64
User-Name: XX-XX-XX-XX-52-89
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
Session timeout: N/A
Idle timeout: 300s (server), Remaining: 2s
Common Session ID: 0A17BD07000000A925152A7B
Acct Session ID: 0x00000458
Handle: 0x090000A9
Runnable methods list:
Method State
dot1x Failed over
mab Authc Success
SW03#
SW03#
SW03#
SW03#sh auth sessions int fa0/4
Interface: FastEthernet0/4
MAC Address: Unknown
IP Address: Unknown
Status: Running
Domain: UNKNOWN
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A17BD07000000AA251A0019
Acct Session ID: 0x00000462
Handle: 0x800000AA
Runnable methods list:
Method State
dot1x Running
mab Not run
06-24-2014 01:55 AM
Can you share the port-configurations?
06-24-2014 02:38 AM
Here is the port config.
Just to clarify, everything is working except that the terminal is losing the authentication. The terminal works again if traffic is initiated from the terminals menu, like with ping.
interface FastEthernet0/4
description Standard
switchport access vlan xxx
switchport mode access
switchport block unicast
switchport voice vlan xxx
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 5
switchport port-security violation restrict
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xxx
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level pps 100
storm-control multicast level pps 100
storm-control action trap
spanning-tree portfast
service-policy input users
06-24-2014 10:04 AM
Hmm everything looks good. Can you also post a screen shot of the authorization result ?
10-01-2015 06:58 PM
Possibly not related - but I don't think you should mix 802.1X with port-security. I would remove the port-security lines completely
06-25-2014 03:32 PM
switchport port-security aging time 5
Basically your port security is clashing with dot1x. I had this exact problem a while ago and removing the above command will fix it. Ultimately though you should review the need for port security configurations when using dot1x - kind of achieves the same purpose.
10-14-2023 05:14 PM
I see you are using IBSN 1.0,
I am using IBSN 2.0 and I prioritize the MAB over 802.1x and that fix my problem with sleepy printers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide