04-17-2019 03:32 PM - edited 02-21-2020 11:04 AM
Hello 802.1X (switch) experts,
I deal mostly with WLC deployments and Session-Timeout is configured globally on the WLAN profile and applies to all authenticated sessions (unless over-ridden by AAA Override). Is there a similar concept on Cisco switches when doing 802.1X? Or does the session stay up as long as the physical layer stays up (e.g. a printer remains plugged into the switch port and the switch keeps the session alive) ? I am not sending Session-Timeout or Idle-Timeout to any wired 802.1X authentications.
I am seeing a lot of session events in the ISE Live Logs. Wondering whether those are re-authentications
Should one only generally return a AAA Session-Timeout to devices that might be connected to Wired Phones (e.g. non-Cisco IP Phones, since they don't alert the Cisco Switch when the laptop/PC disconnects from the phone - so session will stay up forever?) With a Cisco phone I believe this is proxy-signalled via CDP to the switch.
thanks in advance
Solved! Go to Solution.
04-17-2019 11:58 PM
04-17-2019 11:58 PM
04-18-2019 04:15 PM
Thanks! Is there a show command that shows the remaining session time? I didn’t see this in the show access-session command
04-18-2019 04:18 PM
04-19-2019 04:03 AM
I had a look and show authentication session and show access-session are the same command. There is no mention of the session timer in that output - this is weird - I would expect that one should be able to view this per session.
This is the closest I can find to an authentication timer display command
#show authentication brief Interface MAC Address AuthC AuthZ Fg Uptime ----------------------------------------------------------------------------- Tw2/0/23 b0aa.771c.1ced m:CF d:NR AZ: SA- X 1030749s Tw2/0/35 0004.7d35.f248 m:OK AZ: SA-V: X 1030753s
I was tracking one MAB authentication in ISE and I can see that the Accounting Session ID has not changed in many days. This means that no re-authentication has taken place.
I also have this enabled globally
aaa accounting update newinfo periodic 2880
I don't know what the DHCP lease time is on that VLAN (I will have to ask the customer) but ISE is processing an Interim-Accounting request every 10 minutes - which leads me to believe that the DHCP renewal is triggering an Interim-Update (due to the "newinfo" argument in the aaa command above).
The port profile Interface contains this config
authentication periodic
authentication timer reauthenticate server
Since I don't return a Session-Timeout to the switch (Server Timeout=0), and since I told the switch to use authentication timer reauthenticate server, the switch has effectively deactivated the Session-Timeout - which is actually the behaviour I was hoping for - I think the command below validates that:
show dot1x interface twoGigabitEthernet 2/0/35 switch active R0
Dot1x Info for TwoGigabitEthernet2/0/35
--------------------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 7
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide