I'm currently testing IOS 16.9 with IBNS2 network access config on a 9300-Series switch .
It seems that the session-timeout transmitted from Radius (ISE 2.4) is not triggering any re-authentication of the connected device.
I used/tested several ways to configure/assign the session timout:
The behaviour is the same in all cases -timers are shown corectly in "show auth session xx det", but re-autentication is never triggered.
I merged the config from several guides into this:
policy-map type control subscriber ENT-IDENTITY-POL event session-started match-all 10 class always do-until-failure 10 authenticate using dot1x priority 10 20 authenticate using mab priority 20 event authentication-failure match-first 10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure 10 activate service-template CRITICAL_AUTH_VLAN 20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE 25 activate service-template CRITICAL-ACCESS 30 authorize 40 pause reauthentication 20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure 10 pause reauthentication 20 authorize 30 class always do-until-failure 10 terminate dot1x 20 terminate mab 30 authentication-restart 120 event agent-found match-all 10 class always do-until-failure 10 terminate mab 20 authenticate using dot priority 10 retries 5 retry-time 120 event authentication-success match-all 10 class always do-until-failure 10 activate service-template IA-TIMER-120 event aaa-available match-all 10 class IN_CRITICAL_AUTH do-until-failure 10 clear-session 20 class NOT_IN_CRITICAL_AUTH do-until-failure 10 resume reauthentication event inactivity-timeout match-all 10 class always do-until-failure 10 unauthorize event absolute-timeout match-all 10 class always do-until-failure 10 clear-session event timer-expiry match-all 10 class always do-until-failure 10 clear-session ! service-template IA-TIMER-120 inactivity-timer 120 probe
authentication session shows timers applied correctly:
test#sh auth sess in g1/0/5 det Interface: GigabitEthernet1/0/5 IIF-ID: 0x11235107 MAC Address: 7081.0512.3456 IPv6 Address: fe80::7281:5ff:fe12:3456 IPv4 Address: 10.1.2.3 User-Name: 70-81-05-12-34-56 Status: Authorized Domain: DATA Oper host mode: multi-domain Oper control dir: both Session timeout: N/A Common Session ID: 0484320A00000C33DCF1B6A4 Acct Session ID: 0x00000068 Handle: 0x7f00008f Current Policy: ENT-IDENTITY-POL Local Policies: Service Template: IA-TIMER-120 (priority 150) Idle timeout: 120 sec Server Policies: Service Template: SE-TIMER-300 (priority 100) Session-Timeout: 300 sec Method status list: Method State dot1x Stopped mab Authc Success
Authentication (after port down/up) works properly.
The timeout values from server are sucessfull transferred to the switches and appear correctly in show commands.
The issue is that nothing happens if the timeout is overdue.
Here are the aaa lines:
aaa authentication suppress null-username aaa authentication dot1x default group AUTH-RADIUS aaa authorization network default group AUTH-RADIUS aaa accounting suppress null-username aaa accounting redundancy suppress system-record aaa accounting dot1x default start-stop group AUTH-RADIUS
Which debug commands do you suggest?
These two commands seem to be default in IOS16.9
test#sh run all | i vsa radius-server vsa send accounting radius-server vsa send authentication
Adding these commands again doesnt change behaviour.
Why are you expecting that accounting vsas are needed to get local timers working?
Had a similar issue om 9300 running 16.12.4, a local defined service-template with absolute-timer in it was not taking effect.
adding the following commands to the interface helped (even if the service-template was applied locally and not downloaded from ISE)
authentication timer reauthenticate server
i guess u confuse IBNS 1.0 syntax with those for IBNS 2.0. With latter u unlikely have opportunity to code periodic reauthentication relevant commands with access-session *.