cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


63
Views
0
Helpful
5
Replies
Highlighted
Beginner

Session Timeout for dot1x not working on IOS 16.9 on 9300 Series Switch

I'm currently testing IOS 16.9 with IBNS2 network access config on a 9300-Series switch .

It seems that the session-timeout transmitted from Radius (ISE 2.4) is not triggering any re-authentication of the connected device.

 

I used/tested several ways to configure/assign the session timout:

  • local service-template
  • service-template assigned by ise
  • session timeout value set with cisco av-pair
  • using re-authentication checkbox in ISE

The behaviour is the same in all cases -timers are shown corectly in "show auth session xx det", but re-autentication is never triggered.

 

I merged the config from several guides into this:

policy-map type control subscriber ENT-IDENTITY-POL
  event session-started match-all
    10 class always do-until-failure
     10 authenticate using dot1x priority 10
     20 authenticate using mab priority 20
  event authentication-failure match-first
    10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
     10 activate service-template CRITICAL_AUTH_VLAN
     20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     25 activate service-template CRITICAL-ACCESS
     30 authorize
     40 pause reauthentication
    20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
     10 pause reauthentication
     20 authorize
    30 class always do-until-failure
     10 terminate dot1x
     20 terminate mab
     30 authentication-restart 120
  event agent-found match-all
    10 class always do-until-failure
     10 terminate mab
     20 authenticate using dot priority 10 retries 5 retry-time 120
  event authentication-success match-all
    10 class always do-until-failure
     10 activate service-template IA-TIMER-120
  event aaa-available match-all
    10 class IN_CRITICAL_AUTH do-until-failure
     10 clear-session
    20 class NOT_IN_CRITICAL_AUTH do-until-failure
     10 resume reauthentication
  event inactivity-timeout match-all
    10 class always do-until-failure
	 10 unauthorize
  event absolute-timeout match-all
    10 class always do-until-failure
	 10 clear-session
  event timer-expiry match-all
   10 class always do-until-failure
    10 clear-session
!
service-template IA-TIMER-120
 inactivity-timer 120 probe

authentication session shows timers applied correctly:

test#sh auth sess in g1/0/5 det
            Interface:  GigabitEthernet1/0/5
               IIF-ID:  0x11235107
          MAC Address:  7081.0512.3456
         IPv6 Address:  fe80::7281:5ff:fe12:3456
         IPv4 Address:  10.1.2.3
            User-Name:  70-81-05-12-34-56
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0484320A00000C33DCF1B6A4
      Acct Session ID:  0x00000068
               Handle:  0x7f00008f
       Current Policy:  ENT-IDENTITY-POL


Local Policies:
        Service Template: IA-TIMER-120 (priority 150)
         Idle timeout: 120 sec

Server Policies:
        Service Template: SE-TIMER-300 (priority 100)
      Session-Timeout: 300 sec


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

 

Everyone's tags (3)
5 REPLIES
Beginner

Re: Session Timeout for dot1x not working on IOS 16.9 on 9300 Series Switch

What do your AAA statements look like?  Are you able to share any output from debug commands? 

Beginner

Re: Session Timeout for dot1x not working on IOS 16.9 on 9300 Series Switch

Authentication (after port down/up) works properly.

The timeout values from server are sucessfull transferred to the switches and appear correctly in show commands.

The issue is that nothing happens if the timeout is overdue.

 

Here are the aaa lines:

aaa authentication suppress null-username
aaa authentication dot1x default group AUTH-RADIUS
aaa authorization network default group AUTH-RADIUS
aaa accounting suppress null-username
aaa accounting redundancy suppress system-record
aaa accounting dot1x default start-stop group AUTH-RADIUS

Which debug commands do you suggest?

Beginner

Re: Session Timeout for dot1x not working on IOS 16.9 on 9300 Series Switch

Please ensure you have the following enabled:
radius-server vsa send accounting
radius-server vsa send authentication
sh run all | i vsa will verify

Test again.
Beginner

Re: Session Timeout for dot1x not working on IOS 16.9 on 9300 Series Switch

Hi,

These two commands seem to be default in IOS16.9

 

test#sh run all | i vsa
radius-server vsa send accounting
radius-server vsa send authentication

Adding these commands again doesnt change behaviour.

Why are you expecting that accounting vsas are needed to get local timers working?

Beginner

Re: Session Timeout for dot1x not working on IOS 16.9 on 9300 Series Switch

Sorry for confusion I was attempting to tshoot ISE to NAD stuff.
Can you share output from the following upon a reauth failure due to timers expiring?
Debug aaa authentication
debug radius
This may help with your statement: The issue is that nothing happens if the timeout is overdue.
CreatePlease to create content
Content for Community-Ad
Blog-Cisco Community Designated VIP Dinner CLEUR2019