cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

721
Views
0
Helpful
4
Replies
Beginner

MAB No Session Timeout behind a NON-Cisco IP-Phone

Hello,

   I´ve a Alctel IP-Phone authenticated via 802.1. A PC ist connected at the Phone using MAB. When the PC will be disconnected the session remains for ever. The session can be cleared with the inactivity timer. The PROBLEM is....when the PC is still connected (during Lunch time) the session will e cleared.

Is there a possibility to clear the session only when disconnecting the PC. Device tracking does not help. I´ve configured Session timeout in combination with Termination action = Default on ACS5.4. Nothing happened.

interface FastEthernet0/1

switchport mode access

switchport voice vlan 24

authentication event fail action next-method

authentication host-mode multi-domain

authentication order dot1x mab

authentication port-control auto

authentication timer inactivity server

mab

dot1x pae authenticator

dot1x timeout tx-period 1

dot1x max-reauth-req 1

spanning-tree portfast

end

Thx Horst

4 REPLIES 4
Enthusiast

Re: MAB No Session Timeout behind a NON-Cisco IP-Phone

Interesting.... Do you know why the PC is getting disconnected over lunch? Is it being turned off / standby / hibernated / idle for too long?

Also, if you're doing MAB, it shouldn't really matter too much if it does get disconnected because as soon as the PC starts to transmit frames again, the switch should do another MAC Auth and you're in business again. Is this secondary authentication not happening?

Sent from Cisco Technical Support iPad App

Beginner

Re: MAB No Session Timeout behind a NON-Cisco IP-Phone

Hi Richard,

what you say it´s right. But what happens with Outlook-Connection or other applications which needs connectivity? If the PC send no "keepalive". I think a user will not be happy to restart the applications. As soon as the Pc send a packet reauthentication starts succesful. The coolest thing would be if the inactivity timer, in combination with ip device tracking, would restart. RadiusAttribute 27 and 29 configured on ACS has got no effect. With "debug radius" i can see it. But show dot1x all on the interface doses not show anything.

CEST: RADIUS:  Session-Timeout     [27]  6   77

CEST: RADIUS:  Termination-Action  [29]  6   0

Switch#sh dot1x interface fa0/1

Dot1x Info for FastEthernet0/1

-----------------------------------

PAE                       = AUTHENTICATOR

PortControl               = AUTO

ControlDirection          = In

HostMode                  = MULTI_DOMAIN

QuietPeriod               = 60

ServerTimeout             = 0 S                              <----- NO ENTRY

Beginner

Re: MAB No Session Timeout behind a NON-Cisco IP-Phone

Hi,

i´ve found a solution with IOS 12.2(55SE).

A combination of mac-move permit and authentication violation replace.

MAC-MOVE.

If the PC behind the Phone will be disconnected the session remains for ever. If i plug the PC into another Port on the same switch a new session will be established and the old session will be cleared.

AUTHENTICATION VIOLATION REPLACE

If the PC behind the Phone will be disconnected the session remains for ever. If a new Device will be connected behind the Phone a security violation occurs but the session will be replaced by the new Device.

No inactivity timer is needed.

Horst

Highlighted
Beginner

Re: MAB No Session Timeout behind a NON-Cisco IP-Phone

Mac-move is enabled by default. Unfortunately, authentication violation replace is not an option in my network.

Thank you for the response.

Sent from Cisco Technical Support iPhone App