Re: Switch/ISE Configuration / Timeouts while using 802.1x

andreasalberti · ‎09-27-2021

Good day everybody,

We use 802.1x in conjunction with the ISE.

Switch Port -> Avaya Telephone -> Notebook

Now we have a few problems with clients losing their connection. (Reauth. 802.1x maybe ?)
Furthermore there are problems when clients switch quickly from port to port.

We have set a low idle time out so that employees can authenticate themselves "quickly" on another port.

Without the idle time out, the session remains active on the "old" switch-port and authentication on other ports no longer works.

Some thoughts

In order to avoid packet loss during reauthentication, the sessions remain active for a correspondingly long time (Session-Timeout = 36000)

Maybe "authentication periodic" is causing problems as we use ISE to set a timeout ?

If i missed something or you need further information, just let me know.

Thanks !

Our configuration looks like this:

Switch Port:

interface GigabitEthernet121/4/0/44
description VOIP/PC
switchport
switchport trunk allowed vlan 1
switchport mode access
switchport nonegotiate
switchport voice vlan 310
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
no cdp enable
spanning-tree portfast edge
spanning-tree bpduguard enable

ISE:

Access Type = ACCESS_ACCEPT
Tunnel-Private-Group-ID = 1:1
Tunnel-Type = 1:13
Tunnel-Medium-Type = 1:6
Session-Timeout = 36000
Termination-Action = RADIUS-Request
Idle-Timeout = 30

Mike.Cifelli · ‎09-27-2021

Furthermore there are problems when clients switch quickly from port to port.

-Have you attempted to implement (global config) and test the following:

#authentication mac-move permit

In legacy config this allows clients that are authenticated on one port to disconnect, reconnect on another port, and be authenticated automatically.

martin.fischer · ‎09-27-2021

Hi @andreasalberti

Besides what Mike already suggested also make sure that pass-through with proxy logoff is enabled on your Avaya phone. You do that by configuring DOT1X=1 in the phone config file (or directly on the phone via the menu). Do not use DOT1X=0 or 2 on the phone as these options do not activate the EAPoL proxy-logoff function.

Best regards

andreasalberti · ‎09-28-2021

Thank you in advance for your answers.

pass-through with proxy logoff is already "enabled".

Tomorrow I will implement the "authentication mac-move permit" proposal and check whether this helps.

Are there any suggestions for improvement in the current configuration?

Should i remove "authentication-periodic" from the port configuration, since i give a session timeout via Radius (ISE)?

Best regards

Octavian Szolga · ‎09-29-2021

Hi,

In my understanding authentication periodic is just like a master directive, that is optionally configured to use the timers server is sending (for reauth and idle). If you don't configure reauth and idle timers to be applied from what server is sending, then default or set local timers will be used.

Long story short, you said that you're sending the idle timeout from ISE, but on the switchport config I don't see that configured:

authentication periodic

authentication timer reauthenticate server

authentication timer inactivity server

BR,

Octavian

andreasalberti · ‎10-03-2021

Thank you very much.

Especially the authentication mac-move helped a lot.

The only Problem that still occours is that the mac-adresses behind our telephones stay active even if disconnected.

Cheers