We are deploying 802.1X in our network and have encountered problem with a type of payment terminal. The problem is that the terminal do not 'speak' to the network after the first initial DHCP request, the terminal waits for incoming packets from a counter to start the payment process. After the idle-time the MAC is flushed from the switch and the port is not authorized any more.
To solve this we set 'authentication control-direction in' on the port and use 'ip device tracking' to keep the client on the network, ip device tracking sends an arp request every 30 seconds to clients.
Our ISE is sending Radius:Idle-Timeout = 300 and the timer start to count down when the client is authenticated.
In Wireshark, I can see that the ARP request is going out and the ARP reply coming back in but this does not update the inactivity timer for the client. So after 5 minutes the port is gone, and there is no way to get the port up again from the network. Traffic from the client brings up the network.
This looks like a bug to me, anyone seen this, or a similar behaviour?
ISE 1.2p6 IOS 12.2(55)SE6
From Trustsec 1.99 Wired 802.1X Deployment Guide:
Tip Enable IP Device Tracking with inactivity timers to keep quiet endpoints connected. When IP Device Tracking is enabled, the switch periodically sends ARP probes to endpoints in the IP Device Tracking table (which is initially populated by DHCP requests or ARP from the end point). As long as the endpoint is connected and responds to these probes, the inactivity timer is not triggered and the endpoint is not inadvertently removed from the network.
From CLI output
SW03#sh auth sessions int fa0/4 Interface: FastEthernet0/4 MAC Address: xxxx.xxxx.5289 IP Address: 10.10.10.64 User-Name: XX-XX-XX-XX-52-89 Status: Authz Success Domain: DATA Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Group: N/A Session timeout: N/A Idle timeout: 300s (server), Remaining: 2s Common Session ID: 0A17BD07000000A925152A7B Acct Session ID: 0x00000458 Handle: 0x090000A9
Runnable methods list: Method State dot1x Failed over mab Authc Success
SW03# SW03# SW03# SW03#sh auth sessions int fa0/4 Interface: FastEthernet0/4 MAC Address: Unknown IP Address: Unknown Status: Running Domain: UNKNOWN Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A17BD07000000AA251A0019 Acct Session ID: 0x00000462 Handle: 0x800000AA
Runnable methods list: Method State dot1x Running mab Not run
Basically your port security is clashing with dot1x. I had this exact problem a while ago and removing the above command will fix it. Ultimately though you should review the need for port security configurations when using dot1x - kind of achieves the same purpose.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...