Higher Education

last person joined: 11 days ago 

Got questions on how to enable mobility in education? Submit them here!
Back to discussions
Expand all | Collapse all

Re: 802.1X Age time

This thread has been viewed 1 times

  • 1.  Re: 802.1X Age time

    Posted Mar 26, 2015 11:37 AM
    Look at your timers: “show aaa timers” and see if idle-timeout correlates with when they are disconnected.
    If no traffic is seen from the client in the “idle-timeout” interval (e.g., 5 minutes or whatever), the controller will attempt to ping the client. If still no traffic is observed, then “auth” process will remove from the user-table.

    Get a client that has been experiencing the disconnect, and observe the “show datapath session table ” for that client. See if any traffic is coming in for it. Also, issue “configure terminal logging level debugging user-debug ” and then “show log user-debug all | include ” to see why client is being disconnected.

    All that assumes idle-timeout is at play. If it’s RF/802.11 related, you can look at “show ap remote debug mgmt-frames ap-name ” to see all the management frames from that AP to which the client is connected.

    Then, there’s always opening a TAC case . . .

    - Ryan -


  • 2.  RE: Re: 802.1X Age time

    Posted Mar 26, 2015 12:03 PM

    Ryan 

     

    Thank you for your time. I check my timers and my idle timer is the default 5 min. So after 5 minutes if the controller cannot ping the user because the client either turn off the device or left the area then the controller will remove the user from the table and if the user comeback or reopen the laptop it need to reauthenticate, Am i correct? 

     

    show aaa timers

    Global User idle timeout = 300 seconds
    Auth Server dead time = 10 minutes
    Logon user lifetime = 5 minutes
    User Interim stats frequency = 300 seconds

     

    show auth-trace showed the user EAP is successful and the Radius is accepting the req:

     

    Mar 26 10:51:01 eap-req <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 107
    Mar 26 10:51:01 eap-resp -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 43
    Mar 26 10:51:01 rad-req -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91/fldvp-appnpspxy.ad.nova.edu 42 254
    Mar 26 10:51:01 rad-accept <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91/fldvp-appnpspxy.ad.nova.edu 42 305
    Mar 26 10:51:01 eap-success <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 12 4
    Mar 26 10:51:01 wpa2-key1 <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 117
    Mar 26 10:51:01 wpa2-key2 -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 117
    Mar 26 10:51:01 wpa2-key3 <- b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 151
    Mar 26 10:51:01 wpa2-key4 -> b8:e8:56:10:9c:c2 9c:1c:12:82:3a:91 - 95

     

    Now in the logs i can see the testing with my laptop trying to replicate the issue so i can better undersand where to look. I can see my computer was auth successfuly

     

    Mar 26 10:48:38 :522038: <INFO> |authmgr| username=NSU
    ils MAC=b8:e8:56:10:9c:c2 IP=0.0.0.0 Authentication result=Authentication Successful method=802.1x server=fldvp-appnpspxy.ad.nova.edu
    Mar 26 10:48:38 :522044: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2 Station authenticate(start): method=802.1x, role=preauth///preauth, VLAN=1248/1248, Derivation=10/0, Value Pair=1, flags=0x8
    Mar 26 10:48:38 :522049: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2,IP=N/A User role updated, existing Role=preauth/none, new Role=ENET/none, reason=Station Authenticated with auth type: 4
    Mar 26 10:48:38 :522050: <INFO> |authmgr| MAC=b8:e8:56:10:9c:c2,IP=N/A User data downloaded to datapath, new Role=ENET/139, bw Contract=0/0, reason=Download driven by user role settin

     

    Now from the Client connection the timer does not change so the client computer believe it is still connected but the controller I think is removing the client from the table. 

     

    Thank you