Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4685
Views
1
Helpful
6
Replies

ISE + MAB Reauthentication

Go to solution
MikeMoss
Level 1
Level 1

‎07-14-2023 06:42 AM

ISE 3.2 Patch 2.

Catlayst 9200 Series + current firmware

The issue i am having is that all Dot1x + MAB devices are working and authenticating fine - except Printers.

Workstations (Windows 11 Laptops)  using dot1x are good

MAB devices like, Meraki Cameras, IoT devices, and others are good

Our Large Printers; we have 15 total, only 3 are on ISE right now. They authenticate fine, but then 1-2 hours later they reauthenticate again. I dont want this behavior. I want them to authenticate once every 8 hours (28800 seconds). I have the interface's "authentication restart server" set and the ISE policy has 28800 configured. I can verify this with "sh auth session int <port> detal", I can see 28800 (server) and the timer counting down. But its attempting to reauthenticate much much sooner. In a 24 hour period, i get 40-50 reauthentication attemps. If i have 28800 seconds configured, i should only get a max of 3 (24 / 8).

So what am i doing wrong here? What piece do i need to adjust? I have a TAC case open, but they havent been able to figure it out yet. Below is relevant config info.

 

Thank you all!

#sh derived-config int g2/0/6
Building configuration...

Derived configuration : 728 bytes
!
interface GigabitEthernet2/0/6
description 4-Printer1
subscriber aging inactivity-timer 60 probe
switchport access vlan 10
switchport mode access
switchport nonegotiate
switchport voice vlan 41
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session closed
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 7
dot1x max-reauth-req 3
storm-control broadcast level pps 100 80
storm-control action trap
no macro auto processing
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
service-policy type control subscriber CONCURRENT_DOT1X_MAB_POLICY
ip dhcp snooping limit rate 20
end

policy-map type control subscriber CONCURRENT_DOT1X_MAB_POLICY
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event authentication-failure match-first
5 class DOT1X_FAILED do-until-failure
10 terminate dot1x
10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
10 clear-authenticated-data-hosts-on-port
20 activate service-template CRITICAL_DATA_ACCESS
30 activate service-template CRITICAL_VOICE_ACCESS
40 authorize
50 pause reauthentication
20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
10 pause reauthentication
20 authorize
30 class DOT1X_NO_RESP do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
40 class DOT1X_TIMEOUT do-until-failure
10 terminate dot1x
20 authenticate using mab priority 20
50 class always do-until-failure
10 terminate dot1x
20 terminate mab
30 authentication-restart 60
event agent-found match-all
10 class always do-until-failure
10 terminate mab
20 authenticate using dot1x retries 2 retry-time 0 priority 10
event aaa-available match-all
10 class IN_CRITICAL_AUTH do-until-failure
10 clear-session
20 class NOT_IN_CRITICAL_AUTH do-until-failure
10 resume reauthentication
event inactivity-timeout match-all
10 class always do-until-failure
10 clear-session
event authentication-success match-all
10 class always do-until-failure
10 activate service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
event violation match-all
10 class always do-until-failure
10 restrict
event authorization-failure match-all
10 class AUTHC_SUCCESS-AUTHZ_FAIL do-until-failure
10 authentication-restart 60

template WIRED_DOT1X_CLOSED
dot1x pae authenticator
subscriber aging inactivity-timer 60 probe
mab
access-session control-direction in
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber CONCURRENT_DOT1X_MAB_POLICY

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to MikeMoss

‎07-14-2023 08:06 AM

RADIUS Idle-Timeout attribute (Attribute 28)<<- config this make it longer than re-authc timer 
NOTE:- please do this in one port if success then apply to other ports 
thanks 
MHM

View solution in original post

0 Helpful
6 Replies 6

Go to solution
MikeMoss
Level 1
Level 1

‎07-14-2023 06:43 AM

I added screenshots, but they didnt go through. Re-attaching here...

Preview file
40 KB
Preview file
10 KB
Preview file
48 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MikeMoss

‎07-14-2023 08:06 AM

RADIUS Idle-Timeout attribute (Attribute 28)<<- config this make it longer than re-authc timer 
NOTE:- please do this in one port if success then apply to other ports 
thanks 
MHM

0 Helpful

Go to solution
MikeMoss
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2023 08:26 AM

Hmmm. Interesting. Ok, will give this a shot right now!

With this set, would you expect the devices to respect the reauth timer of 28800 seconds? If its set to 8 hours, what should the idle timer be set to? 9 hours? 12?

I think for an initial test (so i dont have to wait that long to confirm its working, i can set the reauth timer to 60 seconds, and the idle to 90, and just make sure its actually reauth'ing every 60 seconds. Then i can increase it what i actually want it to be. 

 

Thank you for you reply!

Go to solution
MikeMoss
Level 1
Level 1
In response to MikeMoss

‎07-14-2023 08:37 AM

I set the reauth timer to 60s and the idle to 90s. It did exactly as it should. I just increased it to 300s and 900s. If that works as well, then ill put it to the full 8 hours and check back later. If that works, then i appreciate your help so much and will mark your reply as the answer. TY!

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MikeMoss

‎07-14-2023 08:47 AM

you are so so welcome 
hope it work 
have a nice weekend 
MHM

0 Helpful

Go to solution
MikeMoss
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2023 08:55 AM

So far its working!

Just a quick note for anyone else that runs into this. I put my reauth timer back to 28800s (8 hours), and choose an idle timer of 72000 - Just something arbitrary to test and that it was larger than the reauth. When i did this in ISE, it took the setting correctly, then bounced the interface. When i did that i noticed it was not applying any Server Policies. That section when running the command "sh auth sess int <port>", was empty. I looked at the description on the interface for "reauth timer inactivity, and it said 1-65535". So Just keep in mind, that ISE will accept the command, but wont apply it to the interface due to exceeding 65535.

 

I've now set my reauth to 28800 and idle to 36000 and Server Policies are applied. Now we wait...

Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents