Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1019
Views
7
Helpful
11
Replies

TLS Stateless Session Resume with multiple PSNs

Go to solution
rezaalikhani
Level 4
Level 4

‎12-17-2023 05:28 AM - edited ‎12-17-2023 05:29 AM

Hi all;

Based on official Cisco's documentation, for the Stateless Session Resume option, it allows the resumption operation even when reauthentication happens to a different PSN (allows Session Resume across All PSNs).

Now my question is; for this functionality to work, all the PSNs must belong to the same Node Group or another technique is used for this functionality to work?

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-01-2024 09:28 PM - edited ‎01-02-2024 01:48 PM

... for the Stateless Session Resume option, it allows the resumption operation even when reauthentication happens to a different PSN (allows Session Resume across All PSNs). ... for this functionality to work, all the PSNs must belong to the same Node Group or another technique is used for this functionality to work?

...

@rezaalikhani As the other already said, this feature does not use the node group in ISE. Because of Stateless, nothing to store and replicate in any ISE nodes.

The previous discussion thread EAP session resume has some more info. F5 DevCentral article TLS Stateful vs Stateless Session Resumption has some good comparison.

View solution in original post

Preview file
167 KB
11 Replies 11

Go to solution
ahollifield
VIP
VIP

‎12-18-2023 08:28 AM

The admin guide makes no mention of Stateless Session Resume in the Node Group section: https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_deployment.html#ID513

Only URL redirect failover and replication optimizations are mentioned:

"

This design optimizes the replication of endpoint profiling data by retaining less significant attributes that are local to the group and reducing the information that is replicated to the remote nodes in the network. Node group members also check on the availability of peer group members. If the group detects that a member has failed, it attempts to reset and recover all URL-redirected sessions on the failed node.

The node groups are used for the PSN failover in the sessions on which URL redirect (posture services, guest services, and MDM) is imposed."

Go to solution
Karsten Iwen
VIP
VIP

‎12-18-2023 08:40 AM - edited ‎12-18-2023 02:29 PM

This was not the question, but I'll put this here for discussion:

I don't see any benefit in Stateless Session Resume for EAP. At least not as an alternative to FastTransition in Wireless. The second and following authentications might be faster than the initial one by omitting the backend lookup. But by having a RADIUS request from the authenticator at all adds enough latency to limit this functionality.

Go to solution
Arne Bier
VIP
VIP
In response to Karsten Iwen

‎12-18-2023 12:23 PM

@rezaalikhani - I concur with @ahollifield analysis - it sometimes feels to me like Node Groups are some kind of legacy feature that we just enable, but the feature's name doesn't always imply that it brings benefits to endpoints that use the group member PSNs. I am tempted to see if this can be tested easily in a lab with two ISE nodes, and WPA Supplicant (on linux) - with WPA Supplicant you can sent any EAP method to any PSN of your choosing - by CLI commands  - in theory it should simulate a wireless 802.11 client making EAP requests to a RADIUS server.

 

@Karsten Iwen - I agree - I think all of these EAP enhancements are focused on the wireless endpoint use case where the frequency of authentications is typically higher than in the wired endpoint. Intentional, or unintentional roaming causes EAP auths - but with Fast Transition the EAP auths are reduced - but Fast Transition is not always enabled on all WLANs (as good a feature that it is ... some endpoints might still have issues with it) - then Session Resume and Stateless Session Resume can come to the rescue.

Go to solution
rezaalikhani
Level 4
Level 4

‎12-29-2023 07:52 AM

Hi all;

Although the provided information is wealthy, but i did not get the answer to my question...

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to rezaalikhani

‎01-01-2024 03:30 PM

Hi @rezaalikhani - I'll have a play in my lab today to see if there is any way in ISE to influence/activate Stateless Session Resume. I doubt it will be related to Node Groups. But it might be related to the LDD feature:

ArneBier_0-1704151805749.png

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-01-2024 09:28 PM - edited ‎01-02-2024 01:48 PM

... for the Stateless Session Resume option, it allows the resumption operation even when reauthentication happens to a different PSN (allows Session Resume across All PSNs). ... for this functionality to work, all the PSNs must belong to the same Node Group or another technique is used for this functionality to work?

...

@rezaalikhani As the other already said, this feature does not use the node group in ISE. Because of Stateless, nothing to store and replicate in any ISE nodes.

The previous discussion thread EAP session resume has some more info. F5 DevCentral article TLS Stateful vs Stateless Session Resumption has some good comparison.

Preview file
167 KB

Go to solution
rezaalikhani
Level 4
Level 4
In response to hslai

‎01-03-2024 08:56 PM

Thanks alot. Now it is clear...

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎01-11-2024 09:36 PM

@hslai thanks for those links - the one from F5 is excellent.

Just to close the loop, I enabled TLS Session Resume and tested what happens when the Cisco switch sends the subsequent EAP request to a different PSN (within the same Node Group and with LDD enabled)- the result is as expected - the supplicant is forced to perform a full EAP authentication (6 RADIUS request packets sent). Subsequent EAP requests then benefit from Session Resume on that same PSN (3 RADIUS requests packets seen in Wireshark). 

Session Resume is great and works with all EAP-TLS clients (no support for Stateless Session Resume required on the client side - not all clients support it) - and the benefits are a 50% saving in # of packets sent and received (certificates are no longer exchanged - that makes up a large part of the payload saved).

Stateless Session Resume is still the way to go (if your supplicants support it) because it will allow supplicants to resume sessions even when the load balancer or NAD uses a different PSN.  I was unable to verify this in my lab because I am using wpa_supplicant (on a raspberry pi) for my testing. It's an excellent tool. I am able to enable/disable Session Resume in the wpa_supplicant.conf file - but I was unable to toggle Stateless Session Resume. I contacted the author of the tool to see if this is possible. 

It's a pity that we don't any insights into the status of Stateless Session Resume or (Session Resume sessions) - I have to confirm using tcpdump - which is tedious - but it's the ultimate proof of it working.

Go to solution
rezaalikhani
Level 4
Level 4
In response to Arne Bier

‎06-09-2024 01:05 AM

@Arne Bier 

Manage to get your desired info regarding this topic?

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎06-09-2024 06:21 PM

Which piece in particular?

0 Helpful

Go to solution
rezaalikhani
Level 4
Level 4
In response to Arne Bier

‎06-13-2024 01:28 AM

This section:

I contacted the author of the tool to see if this is possible.

 

0 Helpful
Customers Also Viewed These Support Documents