Radius Idle-Timeout and Session-Timeout does not work

Geza Makay · ‎01-26-2012

Hi,

I have an SG300-20 here for testing (firmware: 1.1.2.0, boot version: 1.0.0.4, language version: 1.1.1.6 English). Everything seems to work on it, except, that if I choose Radius authentication by mac address only, then the switch does not honor the Idle-Timeout and Session-Timeout attributes from the Radius server (freeradius).

The setup is the following: I have a no name access point plugged in to switch port gi1. The port gi1 is set up for Radius authentication by mac address only. The access point itself is authenticated, no problem with that. If I connect through the access point by (say) a mobile phone, it is authenticated, no problem. The radius server does send the Idle-Timeout and Session-Timeout attributes, I checked it by running "freeradius -X", both are set to 30 seconds. Then I turn off the wireless card in my mobile phone and check the dot1x users by "show dot1x users". My mobile phone's mac address remains there for 5-10 minutes, so the Idle-Timeout and Session-Timeout does not work.

Another way I could resolv this problem is by explicitely asking the switch to reauthenticate the user. Unfortunately there is no CLI command to do just that, I can do however a reauthentication on a port using "dot1x re-authenticate gi1" (for example). But it does not work as it is expected: the switch uses the stored mac-address to reauthenticate the user, so nothing changes on the port (unless something changes in the radius server). I think it should work like the following: remove the authenticated user from the port, and whenever that mac address makes some network traffic, then reauthenticate as if it were a completely new connection. BTW: it would help me also if I could just remove an authenticated user from a port, but I did not find a command to do that.

As a last resort I can simply shutdown the port, bring it up again ("shutdown" and "no shutdown" in the interface config), then all users are removed from the port and they all mush reauthenticate. But it causes a network outage for a couple of seconds for all users on that port, on a busy access point it is quite disturbing, and it is not an elegant way to do this.

So my actual question is: is there a way to remove an authenticated user either automatically (Idle-Timeout and Session-Timeout) or manually from this switch?

I enclose the relevant part of the running config.

Thank you very much in advance.

Best regards,

Geza

================================================

interface range gi1-2

dot1x host-mode multi-sessions

exit

vlan database

vlan 2-4

exit

interface vlan 3

dot1x guest-vlan

exit

dot1x system-auth-control

interface range gi1-2

dot1x reauthentication

exit

interface range gi1-2

dot1x mac-authentication mac-only

exit

interface range gi1-2

dot1x radius-attributes vlan

exit

interface range gi1-2

dot1x guest-vlan enable

exit

interface gigabitethernet1

dot1x port-control auto

exit

interface gigabitethernet2

dot1x port-control auto

exit

radius-server host 192.168.33.195 key testing123 priority 1 usage dot1.x

aaa authentication dot1x default radius

Nachtfalkeaw · ‎01-28-2012

Hi,

the problems seems to be that the hardware (switch SG300) does not do/support what the datasheet promis.

Idle-timeout and session-timeout can only be done if there are some kind of accounting packets. The NAS (Switch) must send back the time the host is connected so that RADIUS can disconnect or not allow to re-authenticate that host.

Take a look at my thread.

https://supportforums.cisco.com/message/3546558#3546558

9 month agao I bought 20 switches of the SG200 series because the datasheet promised that the SG200 can dynamically assign VLANs. This was wrong and I had to sent all SG200 back and I got the SG300 series from cisco.

The datasheet of the SG300 series says that there is RADIUS authentication and accounting but in the actual firmware there isn't any option for setting the accounting port anymore.

==========

802.1X: RADIUS authentication and accounting,

==========

That's all not satisfactory for me!

Hope I could help you with that.

Alexander Wilke

Geza Makay · ‎01-28-2012

Hi Alexander,

Thank you for the prompt answer.

I am not a newbie in network management, but I am a newbie in Cisco management . May be it is just the terminology problem on my side. From my point of view the following happens:

1. The SG300 asks the radius server, wheter the user is allowed to connect or not.

2. The radius server tells the SG300, that the user IS ALLOWED to connect, BUT

a; either for a limited time (Session-Timeout), after that the user must reauthenticate

b; or if the user is not creating any traffic for some time (Idle-Timeout), then he must reauthenticate.

Since the radius server sends this information to the SWITCH, the SWITCH must handle the connection accordingly. Neither the radius server nor any administration staff should do anything else about this. Since the switch does not drop the user after the timouts I set, this means to me that the switch does not fully support radius authentication: again a thing which is not supported, but the datasheet tells so.

For me accounting means a quite different thing: to keep track of which user used the system, for how long, when was he authenticated, which port he used, etc. I may be mistaken, but I think this has nothing to do with Session-Timeout and Idle-Timeout. But I do see, that this version of the firmware does not support accounting either: it is funny (from you point of view: sad), that in the CLI (http://www.cisco.com/en/US/docs/switches/lan/csbms/sf30x_sg30x/administration_guide/CLI_Nikola300_1.1.pdf) the session about "Authentication, Authorization and Accounting (AAA)" does not have any commands about accounting...

BTW: Since we will have a quite complex network, I am going to write my own administration software for that: this software will manage the switches, users, departments, administration automatically, I do not want to manually configure so many switches (you know, there is a saying about mathematicians: they work very hard for days to save 5 minutes of work later . You can guess: I am a mathematician). It is quite easy to include an accounting (if you mean the same on accounting as I do ) in such a software, I want to do that for our network too, and it would solve your problem. But this does not solve my problem. If Session-Timeout and Idle-Timeout does not work, I could use a command in the software to manually remove the authenticated user from the switch. But there is no such command (see my original post)... .

I would very much like some Cisco-person answering these questions. So far the Hungarian Cisco company was very helpful with allowing me to test this switch, but they could not help me with this problem, they directed me to this forum. I tried by phone, I tried on this site to "Open a case", but without paying for this support I cannot do that, and I am not going to pay for support for a switch that I do not own and not going to be able to use. I wanted to recommend my University to buy about 17 of these SF300-48 or SG300-50 or similar switches (together with larger Cisco core switches: we will rebuild the whole network of a building), but I am not going to do that unless this problem is cleared. If I do not receive an answer within a week (I must return the switch to Cisco after the next week) am going to try switches from other companies...

Update. I just received a reply to my question here: https://supportforums.cisco.com/thread/2125689. It is not an answer as yet, but I hope to receive that soon .

Best regards,

Geza