Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

RADIUS IETF Session-Timeout and Termination-Action question

This thread has been viewed 56 times

  • 1.  RADIUS IETF Session-Timeout and Termination-Action question

    Posted Apr 04, 2017 05:32 PM

    Hi Everyone, 

    I'm testing VLAN assigment with Radius Attributes, the assigment works fine (Place authenticated device to it's corresponding VLAN), we want to disable the Dot1X Reatuhentication period on the Switch(default 1 hour) and control it with CPPM depending on wich device is connecting to the Network, we are using Dell switches but it looks like the Session-Timeout and Termination-Action is not working, we never see any authentication request after the timeout ends, any suggentions/experience on how to achieve this, thanks a lot in advance. RADIUS.JPG



  • 2.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    EMPLOYEE
    Posted Apr 04, 2017 05:36 PM
    Many switches require a command to enable server-based timeout. Look for that in your RADIUS or interface config.


  • 3.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    Posted Apr 04, 2017 05:42 PM

    We are using Dell N series, I will search, thanks.



  • 4.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    Posted Apr 12, 2017 08:15 AM

    Opened a support case with TAC, will post the results in the next few days, based on the switch documentation the Radius Session-timeout and termination-Action are enable by default and should be working with no issues. 



  • 5.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    Posted Dec 21, 2018 11:58 AM

    hello Tim and Folks, 

    I have a VLAN enforcement configured to be pushed switches in order to put the users in correct VLANs. 

    my question, if the session timeout occurs 'radius:left session-time-out 10800', the user going to lose his active session (https,  SSH ...etc)?  in another word, going to be totally disconnected from the network? 



  • 6.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    Posted Dec 21, 2018 12:12 PM

    Hey Averna, if you use Value= Default (0) this will disconnect the session and re-authenticate the deviceimage.png

     

    If you use Value= RADIUS-request(1), it will only check if the device is already authenticated or active on the switchport if it does there will be no disconnectimage.png



  • 7.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    Posted Dec 21, 2018 01:03 PM

    hello Oscar, 

    have the same concern, 

    after every 10800 seconds (3 hours), i see on the access tracker new authentication entry for users, 

    i believe these entries prompt out due to 

    Radius:IETF    Session-timeout   10800, 

    seeing new authentication entries on the access tracker mean users are kicked out from the network?

    image.png



  • 8.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    Posted Dec 21, 2018 02:12 PM

    With the enforcement profile that you have it is informational only and the re-authentication revalidates de device, no disconnect occurs, as long as the switchport remains up and the device is on the network, you might want to extend the timeout time to 8 hours or more, it depends on what you would like, in our case we set the auth-time to 24 hours.



  • 9.  RE: RADIUS IETF Session-Timeout and Termination-Action question

    Posted Dec 21, 2018 05:07 PM

    Thank you Oscar !