Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

802.1x, NAC

Does anyone know how to set the Dot1x re-auth timer using a Cisco VSA?

We have 802.1x + NAC running, and when the policy check fails the user is placed in a quarantine VLAN. We do this using a shared RAC (merged with group settings).

But, we want to lower the dot1x re-auth timer using this RAC instead of on the switch itself. Does anyone know the VSA radius config for this?

Thanks!

7 REPLIES
Silver

Re: 802.1x, NAC

AFAIK the only attribute that'll work is the IETF Session-Timeout.

Although depending on what else happens (eg audit), ACS may choose to override your value with a shorter one.

Darran

Cisco Employee

Re: 802.1x, NAC

Right, it's not a VSA, but a standard RADIUS Attribute. [27] and [29] are the attributes in question, and [27] is the session-timeout attribute as Darran points out. It can be configured in ACS via per-group or per-user authorization rules. Be sure to have the following port config on your switch to support this:

Switch(config-if)#dot1x timeout reauth-period server

Switch(config-if)#dot1x reauthentication

Hope this helps,

New Member

Re: 802.1x, NAC

We did use att 27 and 29, but the switch never showed the adjusted timers.

I think was we need is the dot1x timeout reauth-period server setting...

Thnx!!

Cisco Employee

Re: 802.1x, NAC

show dot1x int will show you the current session, and how long it is before the next re-auth. And you need to turn on "dot1x reauth" on the port to begin with (it's not enabled by default). Then, you need to cmd koksm referred to "dot1x timeout reauth-period server" to tell the port to only do re-auth from AAA via RADIUS Attributes [27] and [29] (as opposed to a local static timer).

New Member

Re: 802.1x, NAC

We used the show dot1x interface to monitor the session. That is how we found out that it didn't work.

We also turned on dot1x reauth, but we forgot the timeout reauth-period server command.

Thanks again, this wil help!

Silver

Re: 802.1x, NAC

Hi Jason

I remember having discussions with someone about this. I thought there should be two timeouts.

1) for re-authentication (as is)

2) for forced FULL authentication from scratch

Some customers are happy to let fast session resume handle frequent rekey authentications... But want to enforce a full re-auth (perhaps back to a token server) at least once a day.

Is this possible by some other means?

Darran

Cisco Employee

Re: 802.1x, NAC

Hey Darran:

Yes, this would be the value you may choose for RADIUS Attribute[29]. Hate to quote the RFC, but switches can do exactly what 3580 calls for in this regard:

***

3.19. Termination-Action

This attribute indicates what action should be taken when the service is completed. The value RADIUS-Request (1) indicates that re-authentication should occur on expiration of the Session-Time. The value Default (0) indicates that the session should terminate.

***

So, in combination with Attribute[27], here's a decoder ring:

1) [027] Session-Timeout by itself, it will act as if [029] Termination-Action = "Default", so it should terminate the session. (i.e. forced full re-auth from scratch)

2) [027] Session-Timeout + [029] Termination-Action = "Default", same as above. (i.e. forced full re-auth from scratch)

3) [027] Session-Timeout + [029] Termination-Action = "RADIUS-Request", so session should get re-auth'd.

(i.e. for re-auth as is)

Hope this helps,

328
Views
4
Helpful
7
Replies