cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8075
Views
5
Helpful
4
Replies

What is the default 802.1X session timeout on a Cisco Switch?

Arne Bier
VIP
VIP

Hello 802.1X (switch) experts,

 

I deal mostly with WLC deployments and Session-Timeout is configured globally on the WLAN profile and applies to all authenticated sessions (unless over-ridden by AAA Override).   Is there a similar concept on Cisco switches when doing 802.1X?  Or does the session stay up as long as the physical layer stays up (e.g. a printer remains plugged into the switch port and the switch keeps the session alive) ?  I am not sending Session-Timeout or Idle-Timeout to any wired 802.1X authentications.  

 

I am seeing a lot of session events in the ISE Live Logs.  Wondering whether those are re-authentications

 

Should one only generally return a AAA Session-Timeout to devices that might be connected to Wired Phones (e.g. non-Cisco IP Phones, since they don't alert the Cisco Switch when the laptop/PC disconnects from the phone - so session will stay up forever?)  With a Cisco phone I believe this is proxy-signalled via CDP to the switch.

 

thanks in advance

1 Accepted Solution

Accepted Solutions

Default is 1hours

Rack1(config-if)#authentication timer ?
inactivity Interval in seconds after which if there is no activity
from the client then it will be unauthorized (default OFF)
* reauthenticate Time in seconds after which an automatic
re-authentication should be initiated (default 1 hour)*
restart Interval in seconds after which an attempt should be made
to authenticate an unauthorized port (default 60 sec)
unauthorized Time in seconds after which an unauthorized session will
get deleted

View solution in original post

4 Replies 4

Default is 1hours

Rack1(config-if)#authentication timer ?
inactivity Interval in seconds after which if there is no activity
from the client then it will be unauthorized (default OFF)
* reauthenticate Time in seconds after which an automatic
re-authentication should be initiated (default 1 hour)*
restart Interval in seconds after which an attempt should be made
to authenticate an unauthorized port (default 60 sec)
unauthorized Time in seconds after which an unauthorized session will
get deleted

Thanks! Is there a show command that shows the remaining session time? I didn’t see this in the show access-session command

I think you will see it in sh auth sess interface x/x detail

I had a look and show authentication session and show access-session are the same command. There is no mention of the session timer in that output - this is weird - I would expect that one should be able to view this per session.

 

This is the closest I can find to an authentication timer display command

#show authentication brief
Interface  MAC Address     AuthC           AuthZ                   Fg  Uptime
-----------------------------------------------------------------------------
Tw2/0/23   b0aa.771c.1ced  m:CF d:NR      AZ: SA-                 X    1030749s
Tw2/0/35   0004.7d35.f248  m:OK           AZ: SA-V:               X    1030753s

 

I was tracking one MAB authentication in ISE and I can see that the Accounting Session ID has not changed in many days.  This means that no re-authentication has taken place.  

 

I also have this enabled globally

aaa accounting update newinfo periodic 2880

 

I don't know what the DHCP lease time is on that VLAN (I will have to ask the customer) but ISE is processing an Interim-Accounting request every 10 minutes - which leads me to believe that the DHCP renewal is triggering an Interim-Update (due to the "newinfo" argument in the aaa command above).  

 

The port profile Interface contains this config

authentication periodic
authentication timer reauthenticate server

 

Since I don't return a Session-Timeout to the switch (Server Timeout=0), and since I told the switch to use authentication timer reauthenticate server, the switch has effectively deactivated the Session-Timeout - which is actually the behaviour I was hoping for - I think the command below validates that:

 

show dot1x interface twoGigabitEthernet 2/0/35 switch  active R0

Dot1x Info for TwoGigabitEthernet2/0/35
--------------------------------------------
PAE = AUTHENTICATOR
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthMax = 3
MaxReq = 2
TxPeriod = 7


 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: