Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2382
Views
0
Helpful
0
Replies

Catalyst 3560 dot1x reauthentication timers?

andrew.butterworth
Level 7
Level 7

‎03-18-2009 04:33 PM - edited ‎03-06-2019 04:41 AM

I have wired 802.1x deployed with XP SP3 & Vista SP1 clients on a 3560 running the latest 12.2(50)SE software. Radius is handled by a Windows 2003 Server & IAS and reauthentication is enabled using the server to provide the timeout (session-timeout set to 180 minutes). This all appears to work but reauthentication seems to be happening more frequently than the supplied timeout. The logs filtered for 1 port are attached.

The port configuration is:

interface FastEthernet0/2

switchport access vlan 10

switchport mode access

switchport voice vlan 15

switchport port-security maximum 3

switchport port-security maximum 2 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 3

switchport port-security violation restrict

switchport port-security aging type inactivity

no logging event link-status

srr-queue bandwidth share 1 70 25 5

srr-queue bandwidth shape 3 0 0 0

priority-queue out

authentication port-control auto

authentication periodic

authentication timer restart 30

authentication timer reauthenticate server

authentication violation protect

no snmp trap link-status

dot1x pae authenticator

spanning-tree portfast

service-policy input IPPHONE+PC-BASIC

ip dhcp snooping limit rate 100

The session-timeout is seen by the switch:

cat-3560-48-s1#sho authentication sessions interface fastEthernet 0/1

Interface: FastEthernet0/1

MAC Address: 000c.f18c.c8fd

IP Address: 192.168.100.60

User-Name: DOMAIN\user

Status: Authz Success

Domain: DATA

Oper host mode: single-host

Oper control dir: both

Authorized By: Authentication Server

Vlan Policy: N/A

Session timeout: 10800s (server), Remaining: 9415s

Timeout action: Reauthenticate

Idle timeout: N/A

Common Session ID: C0A864FE00000D7A2F7C13F4

Acct Session ID: 0x00000E7A

Handle: 0x89000D7A

Runnable methods list:

Method State

dot1x Authc Success

The times between reauthentications is also not consistent (23-minutes, 5.5-minutes, 23-minutes, 5.5-minutes, 37-minutes, 5.5-minutes, 30-seconds, 26.5-minutes, 5.5-minutes, 17.5-minutes)

I am not sure if the client is initiating the reauthentication but I don't remember seeing any settings in either XP or Vista for timers? I have also looked at the GPO settings and there is nothing about reauthentication timers (XP SP3 & Vista can get the Wired 802.1x settings from GPO).

Has anyone else seen this? Is it the client or is it the switch? Is it fixable?

Cheers

Andy

Labels:
Preview file
9 KB
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card