02-11-2019 07:30 AM - edited 03-08-2019 05:18 PM
I'm currently testing IOS 16.9 with IBNS2 network access config on a 9300-Series switch .
It seems that the session-timeout transmitted from Radius (ISE 2.4) is not triggering any re-authentication of the connected device.
I used/tested several ways to configure/assign the session timout:
The behaviour is the same in all cases -timers are shown corectly in "show auth session xx det", but re-autentication is never triggered.
I merged the config from several guides into this:
policy-map type control subscriber ENT-IDENTITY-POL event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 25 activate service-template CRITICAL-ACCESS 30 authorize 40 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 120 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot priority 10 retries 5 retry-time 120 event authentication-success match-all 10 class always do-until-failure 10 activate service-template IA-TIMER-120 event aaa-available match-all 10 class IN_CRITICAL_AUTH do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_AUTH do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 unauthorize event absolute-timeout match-all 10 class always do-until-failure 10 clear-session event timer-expiry match-all 10 class always do-until-failure 10 clear-session ! service-template IA-TIMER-120 inactivity-timer 120 probe
authentication session shows timers applied correctly:
test#sh auth sess in g1/0/5 det Interface: GigabitEthernet1/0/5 IIF-ID: 0x11235107 MAC Address: 7081.0512.3456 IPv6 Address: fe80::7281:5ff:fe12:3456 IPv4 Address: 10.1.2.3 User-Name: 70-81-05-12-34-56 Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: both Session timeout: N/A Common Session ID: 0484320A00000C33DCF1B6A4 Acct Session ID: 0x00000068 Handle: 0x7f00008f Current Policy: ENT-IDENTITY-POL Local Policies: Service Template: IA-TIMER-120 (priority 150) Idle timeout: 120 sec Server Policies: Service Template: SE-TIMER-300 (priority 100) Session-Timeout: 300 sec Method status list: Method State dot1x Stopped mab Authc Success
02-11-2019 09:02 AM
What do your AAA statements look like? Are you able to share any output from debug commands?
02-13-2019 04:43 AM
Authentication (after port down/up) works properly.
The timeout values from server are sucessfull transferred to the switches and appear correctly in show commands.
The issue is that nothing happens if the timeout is overdue.
Here are the aaa lines:
aaa authentication suppress null-username aaa authentication dot1x default group AUTH-RADIUS aaa authorization network default group AUTH-RADIUS aaa accounting suppress null-username aaa accounting redundancy suppress system-record aaa accounting dot1x default start-stop group AUTH-RADIUS
Which debug commands do you suggest?
02-13-2019 05:04 AM
02-13-2019 06:14 AM
Hi,
These two commands seem to be default in IOS16.9
test#sh run all | i vsa radius-server vsa send accounting radius-server vsa send authentication
Adding these commands again doesnt change behaviour.
Why are you expecting that accounting vsas are needed to get local timers working?
02-13-2019 09:57 AM
05-01-2019 10:00 AM
Hello Andreas
how do u make sure installed timeout doesnt trigger reauthen?
02-11-2021 11:46 PM
Had a similar issue om 9300 running 16.12.4, a local defined service-template with absolute-timer in it was not taking effect.
adding the following commands to the interface helped (even if the service-template was applied locally and not downloaded from ISE)
authentication periodic
authentication timer reauthenticate server
02-12-2021 01:59 AM
Hi Bram
i guess u confuse IBNS 1.0 syntax with those for IBNS 2.0. With latter u unlikely have opportunity to code periodic reauthentication relevant commands with access-session *.
08-11-2021 01:40 AM
Not sure what you mean?
I used the 'authentication' commands on the interface to have the ISE reauth timer take effect ,whereas the rest of my config is IBNS 2.0
Don't think there is a related 'access-session' command in IOS XE 16.12:
#access-session ? closed Enable closed access on port (disabled by default, i.e. open access) control-direction Set the control-direction on the interface host-mode Set the Host mode for authentication on this interface interface-template Set the local interface-template sticky port-control Set the port-control value
08-14-2021 05:23 AM
can u pls show how entire interface config looks like with both authen & access-sess commands?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide