Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
3
Replies

wired dot1X session termination

yong khang NG
Level 5
Level 5

‎05-12-2014 06:59 AM - edited ‎03-10-2019 09:42 PM

Hi all,

Question about wired dot1X session termination.

After a client successfully done on the wired dot1x authentication, my authZ rule is follow by the VLAN assignement whereby DHCP server will provision a client IP to the PC.

But when the client doing these 2 action:
01. after get connected, disable the IEEE 802.1x option on the PC Ethernet port setting
02. after get connected, disable, then enable the PC Ethernet port setting  (bouncing)

I found out these 2 actions will still get the user in authorized state, because it is not link down or port-bounce action. Session still persist at client PC.

My question :
Anything i can configure either on the switch or ISE will automatic trigger an action like send an EAPOL-Logoff message, causing the switch port to change to the unauthorized state?

 

Thanks

 

Component in use:

client OS: window 7
PEAP-MsCHAP V2
authentication mode : iser or computer authetnication
no check on single sign on
no check remember credential for connection each time logged on
no check fallback to unauthorized network access


ISE 1.1.3 with patch 4


Switchport configuration
interface G0/1
switchporGt mode access
switchport access vlan 61
authentication port-control auto
dot1x pae authenticator
authentication host-mode multi-auth
authentication order dot1x
authentication priority dot1x mab
no shutdown
end

 

 

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎05-30-2014 01:31 AM

For #2 - The session should terminate and restart if the Ehternet adapter on the PC bounces. Are you saying that even though the user disables/enables the adapter, the session remains active in ISE/NAD?

For #1 - I am not really sure as I have never played with this before. My guess would be "No" because once ISE sends the "Access Accept" back to the NAD (your switch in this scenario), the NAD won't know if you are disabling 802.1x. The EAPoL conversation already took place so there is no more 802.1x type traffic coming in and out of the NAD/Client on that port. 

I suppose you can set a re-autn and inactivity timer on both the NAD and ISE but keep in mind that it is not recommended for those timers to be set at low values (minimum 1 hour). Otherwise you could overwhelm your ISE servers depending on how large your environment is.

You will need to add the following commands on the switchport:

authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server

Then in ISE you will need to set the re-auth and the idle timers under the "Authorization Profile"

Another thing to keep in mind is that you should control what your users can and cannot do on their workstations via GPO (Group Policy). In normal circumstances a regular user should not have the privileges to disable 802.1x or their Ethernet adapter :)

Hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

yong khang NG
Level 5
Level 5
In response to nspasov

‎05-30-2014 01:47 AM

Hi

Thanks for the suggestion

All suggestion i will give a try.

thanks

 

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to yong khang NG

‎05-30-2014 01:09 PM

No problem. Give it a try and let us know. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents