06-13-2013 11:47 PM - edited 03-10-2019 08:32 PM
Hello,
I´ve a Alctel IP-Phone authenticated via 802.1. A PC ist connected at the Phone using MAB. When the PC will be disconnected the session remains for ever. The session can be cleared with the inactivity timer. The PROBLEM is....when the PC is still connected (during Lunch time) the session will e cleared.
Is there a possibility to clear the session only when disconnecting the PC. Device tracking does not help. I´ve configured Session timeout in combination with Termination action = Default on ACS5.4. Nothing happened.
interface FastEthernet0/1
switchport mode access
switchport voice vlan 24
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication timer inactivity server
mab
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree portfast
end
Thx Horst
06-14-2013 01:05 AM
Interesting.... Do you know why the PC is getting disconnected over lunch? Is it being turned off / standby / hibernated / idle for too long?
Also, if you're doing MAB, it shouldn't really matter too much if it does get disconnected because as soon as the PC starts to transmit frames again, the switch should do another MAC Auth and you're in business again. Is this secondary authentication not happening?
Sent from Cisco Technical Support iPad App
06-14-2013 01:56 AM
Hi Richard,
what you say it´s right. But what happens with Outlook-Connection or other applications which needs connectivity? If the PC send no "keepalive". I think a user will not be happy to restart the applications. As soon as the Pc send a packet reauthentication starts succesful. The coolest thing would be if the inactivity timer, in combination with ip device tracking, would restart. RadiusAttribute 27 and 29 configured on ACS has got no effect. With "debug radius" i can see it. But show dot1x all on the interface doses not show anything.
CEST: RADIUS: Session-Timeout [27] 6 77
CEST: RADIUS: Termination-Action [29] 6 0
Switch#sh dot1x interface fa0/1
Dot1x Info for FastEthernet0/1
-----------------------------------
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = In
HostMode = MULTI_DOMAIN
QuietPeriod = 60
ServerTimeout = 0 S <----- NO ENTRY
06-25-2013 01:55 AM
Hi,
i´ve found a solution with IOS 12.2(55SE).
A combination of mac-move permit and authentication violation replace.
MAC-MOVE.
If the PC behind the Phone will be disconnected the session remains for ever. If i plug the PC into another Port on the same switch a new session will be established and the old session will be cleared.
AUTHENTICATION VIOLATION REPLACE
If the PC behind the Phone will be disconnected the session remains for ever. If a new Device will be connected behind the Phone a security violation occurs but the session will be replaced by the new Device.
No inactivity timer is needed.
Horst
06-26-2013 06:40 PM
Mac-move is enabled by default. Unfortunately, authentication violation replace is not an option in my network.
Thank you for the response.
Sent from Cisco Technical Support iPhone App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: