cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3936
Views
0
Helpful
6
Replies

IP device tracking and idle timer problem

Hi,

We are deploying 802.1X in our network and have encountered problem with a type of payment terminal.
The problem is that the terminal do not 'speak' to the network after the first initial DHCP request, the terminal waits for incoming packets from a counter to start the payment process. After the idle-time the MAC is flushed from the switch and the port is not authorized any more.

To solve this we set 'authentication control-direction in' on the port and use 'ip device tracking' to keep the client on the network, ip device tracking sends an arp request every 30 seconds to clients.

Our ISE is sending Radius:Idle-Timeout = 300 and the timer start to count down when the client is authenticated.

In Wireshark, I can see that the ARP request is going out and the ARP reply coming back in but this does not update the inactivity timer for the client. So after 5 minutes the port is gone, and there is no way to get the port up again from the network. Traffic from the client brings up the network.


This looks like a bug to me, anyone seen this, or a similar behaviour?


Running:

ISE 1.2p6
IOS 12.2(55)SE6

 

From Trustsec 1.99 Wired 802.1X Deployment Guide:

Tip Enable IP Device Tracking with inactivity timers to keep quiet endpoints connected. When IP Device Tracking is enabled, the switch periodically sends ARP probes to endpoints in the IP Device Tracking table (which is initially populated by DHCP requests or ARP from the end point). As long as the endpoint is connected and responds to these probes, the inactivity timer is not triggered and the endpoint is not inadvertently removed from the network.

 

From CLI output

SW03#sh auth sessions int fa0/4
            Interface:  FastEthernet0/4
          MAC Address:  xxxx.xxxx.5289
           IP Address:  10.10.10.64
            User-Name:  XX-XX-XX-XX-52-89
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  300s (server), Remaining: 2s
    Common Session ID:  0A17BD07000000A925152A7B
      Acct Session ID:  0x00000458
               Handle:  0x090000A9

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

SW03#
SW03#
SW03#
SW03#sh auth sessions int fa0/4
            Interface:  FastEthernet0/4
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A17BD07000000AA251A0019
      Acct Session ID:  0x00000462
               Handle:  0x800000AA

Runnable methods list:
       Method   State
       dot1x    Running
       mab      Not run

 

 

 

 

 

 

 

6 Replies 6

nspasov
Cisco Employee
Cisco Employee

Can you share the port-configurations?

Here is the port config.

Just to clarify, everything is working except that the terminal is losing the authentication. The terminal works again if traffic is initiated from the terminals menu, like with ping.

 

interface FastEthernet0/4
 description Standard
 switchport access vlan xxx
 switchport mode access
 switchport block unicast
 switchport voice vlan xxx
 switchport port-security maximum 2
 switchport port-security
 switchport port-security aging time 5
 switchport port-security violation restrict
 priority-queue out
 authentication control-direction in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan xxx
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity server
 authentication violation restrict
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 5
 storm-control broadcast level pps 100
 storm-control multicast level pps 100
 storm-control action trap
 spanning-tree portfast
 service-policy input users

 

Hmm everything looks  good. Can you also post a screen shot of the authorization result ?

Possibly not related - but I don't think you should mix 802.1X with port-security. I would remove the port-security lines completely

Stephen McBride
Level 1
Level 1

 switchport port-security aging time 5

 

Basically your port security is clashing with dot1x. I had this exact problem a while ago and removing the above command will fix it. Ultimately though you should review the need for port security configurations when using dot1x - kind of achieves the same purpose.

acazarez
Level 1
Level 1

I see you are using IBSN 1.0, 
I am using IBSN 2.0 and I prioritize the MAB over 802.1x and that fix my problem with sleepy printers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: