Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
995
Views
5
Helpful
6
Replies

Reauthenticacion ISE is not working

SupportAC
Level 1
Level 1

‎09-21-2018 01:45 AM - edited ‎03-11-2019 01:49 AM

Hi,

 

We have realized that authenticated users remain indefinitely authenticated. There is no type of timeout that closes the session. We have configured the reauthenticacion for 30 minutos but the users remain permanent.
Why is not the timeout working?

 Here you can see the reauthentication timer is configured to 30 minutes. 

TCETE1.jpgCETE2.jpg

But we see idle timeout N/A (not 30), and users are always authenticated.

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎09-21-2018 02:05 AM

Hi,

Do you have these interface level commands configured?

 

 authentication periodic
 authentication timer reauthenticate server

 

The last command will instruct the switch the to use the timer sent from the RADIUS server, which you are already doing.

 

HTH

0 Helpful

SupportAC
Level 1
Level 1
In response to Rob Ingram

‎09-24-2018 12:22 AM

We have the ports like that.

 

authentication event fail action next-method
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
 
but the reauthentication is not working.
0 Helpful

Rob Ingram
VIP
VIP
In response to SupportAC

‎09-24-2018 11:36 AM

Please post your aaa and radius configuration.
0 Helpful

SupportAC
Level 1
Level 1
In response to Rob Ingram

‎09-25-2018 02:48 AM

This is the AAA config and switch ports:

aaa authentication login default group radius local

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization exec default group radius local

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

no aaa accounting system guarantee-first

!

!

!

!

!

aaa server radius dynamic-author

client 10.70.11.13 server-key 7 xxxxxxx

 

*****

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server deadtime 10

!

radius server RADIUS

address ipv4 10.70.11.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxx

!        

radius server RADIUS_BCK

address ipv4 10.70.13.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxxxxx

 

 

 

interface GigabitEthernet1/0/6

switchport access vlan 60

switchport mode access

switchport nonegotiate

switchport block unicast

switchport port-security maximum 4

switchport port-security maximum 2 vlan access

switchport port-security violation restrict

switchport port-security aging time 10

switchport port-security aging type inactivity

switchport port-security

authentication control-direction in

authentication event fail action next-method

authentication host-mode multi-host

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout tx-period 10

dot1x max-req 10

no cdp enable

spanning-tree bpduguard enable

0 Helpful

Aravind Ravichandran
Level 3
Level 3
In response to SupportAC

‎09-29-2018 12:33 AM

Hi,

Don’t use port security with dot1x it won’t play well together.

-Aravind

SupportAC
Level 1
Level 1
In response to Rob Ingram

‎09-25-2018 02:48 AM

This is the AAA config and switch ports:

aaa authentication login default group radius local

aaa authentication enable default enable

aaa authentication dot1x default group radius

aaa authorization console

aaa authorization exec default group radius local

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update newinfo

aaa accounting dot1x default start-stop group radius

aaa accounting exec default start-stop group radius

aaa accounting network default start-stop group radius

aaa accounting connection default start-stop group radius

aaa accounting system default start-stop group radius

no aaa accounting system guarantee-first

!

!

!

!

!

aaa server radius dynamic-author

client 10.70.11.13 server-key 7 xxxxxxx

 

*****

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 5 tries 3

radius-server deadtime 10

!

radius server RADIUS

address ipv4 10.70.11.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxx

!        

radius server RADIUS_BCK

address ipv4 10.70.13.13 auth-port 1812 acct-port 1813

key 7 xxxxxxxxxxxxxx

 

0 Helpful
Customers Also Viewed These Support Documents