This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I´ve a Alctel IP-Phone authenticated via 802.1. A PC ist connected at the Phone using MAB. When the PC will be disconnected the session remains for ever. The session can be cleared with the inactivity timer. The PROBLEM is....when the PC is still connected (during Lunch time) the session will e cleared.
Is there a possibility to clear the session only when disconnecting the PC. Device tracking does not help. I´ve configured Session timeout in combination with Termination action = Default on ACS5.4. Nothing happened.
switchport mode access
switchport voice vlan 24
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication timer inactivity server
dot1x pae authenticator
dot1x timeout tx-period 1
dot1x max-reauth-req 1
Interesting.... Do you know why the PC is getting disconnected over lunch? Is it being turned off / standby / hibernated / idle for too long?
Also, if you're doing MAB, it shouldn't really matter too much if it does get disconnected because as soon as the PC starts to transmit frames again, the switch should do another MAC Auth and you're in business again. Is this secondary authentication not happening?
Sent from Cisco Technical Support iPad App
what you say it´s right. But what happens with Outlook-Connection or other applications which needs connectivity? If the PC send no "keepalive". I think a user will not be happy to restart the applications. As soon as the Pc send a packet reauthentication starts succesful. The coolest thing would be if the inactivity timer, in combination with ip device tracking, would restart. RadiusAttribute 27 and 29 configured on ACS has got no effect. With "debug radius" i can see it. But show dot1x all on the interface doses not show anything.
CEST: RADIUS: Session-Timeout  6 77
CEST: RADIUS: Termination-Action  6 0
Switch#sh dot1x interface fa0/1
Dot1x Info for FastEthernet0/1
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = In
HostMode = MULTI_DOMAIN
QuietPeriod = 60
ServerTimeout = 0 S <----- NO ENTRY
i´ve found a solution with IOS 12.2(55SE).
A combination of mac-move permit and authentication violation replace.
If the PC behind the Phone will be disconnected the session remains for ever. If i plug the PC into another Port on the same switch a new session will be established and the old session will be cleared.
AUTHENTICATION VIOLATION REPLACE
If the PC behind the Phone will be disconnected the session remains for ever. If a new Device will be connected behind the Phone a security violation occurs but the session will be replaced by the new Device.
No inactivity timer is needed.
Mac-move is enabled by default. Unfortunately, authentication violation replace is not an option in my network.
Thank you for the response.
Sent from Cisco Technical Support iPhone App