Re: MAB No Session Timeout behind a NON-Cisco IP-Phone

hdussa · ‎06-13-2013

Hello,

I´ve a Alctel IP-Phone authenticated via 802.1. A PC ist connected at the Phone using MAB. When the PC will be disconnected the session remains for ever. The session can be cleared with the inactivity timer. The PROBLEM is....when the PC is still connected (during Lunch time) the session will e cleared.

Is there a possibility to clear the session only when disconnecting the PC. Device tracking does not help. I´ve configured Session timeout in combination with Termination action = Default on ACS5.4. Nothing happened.

interface FastEthernet0/1

switchport mode access

switchport voice vlan 24

authentication event fail action next-method

authentication host-mode multi-domain

authentication order dot1x mab

authentication port-control auto

authentication timer inactivity server

mab

dot1x pae authenticator

dot1x timeout tx-period 1

dot1x max-reauth-req 1

spanning-tree portfast

end

Thx Horst

Richard Atkin · ‎06-14-2013

Interesting.... Do you know why the PC is getting disconnected over lunch? Is it being turned off / standby / hibernated / idle for too long?

Also, if you're doing MAB, it shouldn't really matter too much if it does get disconnected because as soon as the PC starts to transmit frames again, the switch should do another MAC Auth and you're in business again. Is this secondary authentication not happening?

Sent from Cisco Technical Support iPad App

hdussa · ‎06-14-2013

Hi Richard,

what you say it´s right. But what happens with Outlook-Connection or other applications which needs connectivity? If the PC send no "keepalive". I think a user will not be happy to restart the applications. As soon as the Pc send a packet reauthentication starts succesful. The coolest thing would be if the inactivity timer, in combination with ip device tracking, would restart. RadiusAttribute 27 and 29 configured on ACS has got no effect. With "debug radius" i can see it. But show dot1x all on the interface doses not show anything.

CEST: RADIUS: Session-Timeout [27] 6 77

CEST: RADIUS: Termination-Action [29] 6 0

Switch#sh dot1x interface fa0/1

Dot1x Info for FastEthernet0/1

-----------------------------------

PAE = AUTHENTICATOR

PortControl = AUTO

ControlDirection = In

HostMode = MULTI_DOMAIN

QuietPeriod = 60

ServerTimeout = 0 S <----- NO ENTRY

hdussa · ‎06-25-2013

Hi,

i´ve found a solution with IOS 12.2(55SE).

A combination of mac-move permit and authentication violation replace.

MAC-MOVE.

If the PC behind the Phone will be disconnected the session remains for ever. If i plug the PC into another Port on the same switch a new session will be established and the old session will be cleared.

AUTHENTICATION VIOLATION REPLACE

If the PC behind the Phone will be disconnected the session remains for ever. If a new Device will be connected behind the Phone a security violation occurs but the session will be replaced by the new Device.

No inactivity timer is needed.

Horst

dynamitec1 · ‎06-26-2013

Mac-move is enabled by default. Unfortunately, authentication violation replace is not an option in my network.

Thank you for the response.

Sent from Cisco Technical Support iPhone App