Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4649
Views
25
Helpful
10
Replies

Session Timeout for dot1x not working on IOS 16.9 on 9300 Series Switch

Andreas Jaeger
Level 1
Level 1

‎02-11-2019 07:30 AM - edited ‎03-08-2019 05:18 PM

I'm currently testing IOS 16.9 with IBNS2 network access config on a 9300-Series switch .

It seems that the session-timeout transmitted from Radius (ISE 2.4) is not triggering any re-authentication of the connected device.

 

I used/tested several ways to configure/assign the session timout:

  • local service-template
  • service-template assigned by ise
  • session timeout value set with cisco av-pair
  • using re-authentication checkbox in ISE

The behaviour is the same in all cases -timers are shown corectly in "show auth session xx det", but re-autentication is never triggered.

 

I merged the config from several guides into this:

policy-map type control subscriber ENT-IDENTITY-POL
  event session-started match-all
    10 class always do-until-failure
     10 authenticate using dot1x priority 10
     20 authenticate using mab priority 20
  event authentication-failure match-first
    10 class AAA_SVR_DOWN_UNAUTHD_HOST do-until-failure
     10 activate service-template CRITICAL_AUTH_VLAN
     20 activate service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     25 activate service-template CRITICAL-ACCESS
     30 authorize
     40 pause reauthentication
    20 class AAA_SVR_DOWN_AUTHD_HOST do-until-failure
     10 pause reauthentication
     20 authorize
    30 class always do-until-failure
     10 terminate dot1x
     20 terminate mab
     30 authentication-restart 120
  event agent-found match-all
    10 class always do-until-failure
     10 terminate mab
     20 authenticate using dot priority 10 retries 5 retry-time 120
  event authentication-success match-all
    10 class always do-until-failure
     10 activate service-template IA-TIMER-120
  event aaa-available match-all
    10 class IN_CRITICAL_AUTH do-until-failure
     10 clear-session
    20 class NOT_IN_CRITICAL_AUTH do-until-failure
     10 resume reauthentication
  event inactivity-timeout match-all
    10 class always do-until-failure
	 10 unauthorize
  event absolute-timeout match-all
    10 class always do-until-failure
	 10 clear-session
  event timer-expiry match-all
   10 class always do-until-failure
    10 clear-session
!
service-template IA-TIMER-120
 inactivity-timer 120 probe

authentication session shows timers applied correctly:

test#sh auth sess in g1/0/5 det
            Interface:  GigabitEthernet1/0/5
               IIF-ID:  0x11235107
          MAC Address:  7081.0512.3456
         IPv6 Address:  fe80::7281:5ff:fe12:3456
         IPv4 Address:  10.1.2.3
            User-Name:  70-81-05-12-34-56
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
      Session timeout:  N/A
    Common Session ID:  0484320A00000C33DCF1B6A4
      Acct Session ID:  0x00000068
               Handle:  0x7f00008f
       Current Policy:  ENT-IDENTITY-POL


Local Policies:
        Service Template: IA-TIMER-120 (priority 150)
         Idle timeout: 120 sec

Server Policies:
        Service Template: SE-TIMER-300 (priority 100)
      Session-Timeout: 300 sec


Method status list:
       Method           State
        dot1x           Stopped
          mab           Authc Success

 

1 person had this problem
Labels:
0 Helpful
10 Replies 10

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-11-2019 09:02 AM

What do your AAA statements look like?  Are you able to share any output from debug commands? 

0 Helpful

Andreas Jaeger
Level 1
Level 1
In response to Mike.Cifelli

‎02-13-2019 04:43 AM

Authentication (after port down/up) works properly.

The timeout values from server are sucessfull transferred to the switches and appear correctly in show commands.

The issue is that nothing happens if the timeout is overdue.

 

Here are the aaa lines:

aaa authentication suppress null-username
aaa authentication dot1x default group AUTH-RADIUS
aaa authorization network default group AUTH-RADIUS
aaa accounting suppress null-username
aaa accounting redundancy suppress system-record
aaa accounting dot1x default start-stop group AUTH-RADIUS

Which debug commands do you suggest?

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Andreas Jaeger

‎02-13-2019 05:04 AM

Please ensure you have the following enabled:
radius-server vsa send accounting
radius-server vsa send authentication
sh run all | i vsa will verify

Test again.
0 Helpful

Andreas Jaeger
Level 1
Level 1
In response to Mike.Cifelli

‎02-13-2019 06:14 AM

Hi,

These two commands seem to be default in IOS16.9

 

test#sh run all | i vsa
radius-server vsa send accounting
radius-server vsa send authentication

Adding these commands again doesnt change behaviour.

Why are you expecting that accounting vsas are needed to get local timers working?

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to Andreas Jaeger

‎02-13-2019 09:57 AM

Sorry for confusion I was attempting to tshoot ISE to NAD stuff.
Can you share output from the following upon a reauth failure due to timers expiring?
Debug aaa authentication
debug radius
This may help with your statement: The issue is that nothing happens if the timeout is overdue.
0 Helpful

Andrii Oliinyk
VIP
VIP

‎05-01-2019 10:00 AM

Hello Andreas

how do u make sure installed timeout doesnt trigger reauthen?

 

Bram Van den Bosch
Level 1
Level 1

‎02-11-2021 11:46 PM

Had a similar issue om 9300 running 16.12.4, a local defined service-template with absolute-timer in it was not taking effect.

 

adding the following commands to the interface helped (even if the service-template was applied locally and not downloaded from ISE)

authentication periodic
authentication timer reauthenticate server

0 Helpful

Andrii Oliinyk
VIP
VIP
In response to Bram Van den Bosch

‎02-12-2021 01:59 AM

Hi Bram

i guess u confuse IBNS 1.0 syntax with those for IBNS 2.0. With latter u unlikely have opportunity to code periodic reauthentication relevant commands with access-session *.

Bram Van den Bosch
Level 1
Level 1
In response to Andrii Oliinyk

‎08-11-2021 01:40 AM

Not sure what you mean?

I used the 'authentication' commands on the interface to have the ISE reauth timer take effect ,whereas the rest of my config is IBNS 2.0

Don't think there is a related 'access-session' command in IOS XE 16.12:

#access-session ?
  closed              Enable closed access on port (disabled by default, i.e. open access)
  control-direction   Set the control-direction on the interface
  host-mode           Set the Host mode for authentication on this interface
  interface-template  Set the local interface-template sticky
  port-control        Set the port-control value
0 Helpful

Andrii Oliinyk
VIP
VIP
In response to Bram Van den Bosch

‎08-14-2021 05:23 AM

can u pls show how entire interface config looks like with both authen & access-sess commands?

Customers Also Viewed These Support Documents