Security

Hello , I am using a MAC auth service for non standard devices . 

the devices are discovered by DHCP profiling . I have put the session timeout profile with value as 36000 seconds in the enforcement rule . So i want all non standard devices to reauthenticate after 10 hours

enforcement profile is type RADIUS

Radius:IETF Session-Timeout = 36000

But i dont see reauthentication happening because of which i cant see these devices doing authentication in daly reports generated by Insight . Does reauth works only for dot1x ? or do i have to use Profile type as RADIUS_COA ?

The NAD is Cisco running with latest IOS version

Before asking more specific questions, did you use the Cisco section of the ClearPass Wired Policy Enforcement Guide here to setup your enforcement on the Cisco and ClearPass side?  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33276

Reauthentication can involve more than just sending a radius attribute.

Hi Joseph , 

Yes i did followup the wired guide .

Session time out of 36000 should make any active session breack after 10 hours . So what is the need of reauth parameters . ? 

Or does this mean that session time out wont initiate a new reauth request ? This is more specific for devices hitting MAC auth service .

There is Cisco-specific configuration that is needed for the Cisco NAD to enforce a radius-supplied session-timeout.  Please see here:  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-8021x-rad-supp-sess-t.html

This talks about dot1x . but i believe it will work for MAC Also ?

802.1x is just radius, eap or mac is the inner authentication methode send by the supplicant (client). It could be that cisco need some specific configuration on the authenticator (switch). Iam not very familar with cisco.

For a Aruba switch its works based on both EAP and MAC authentintication with 802.1x.

See my screenshots attached for an example.

Seems like that the lowest value of the sesion-timout is 60sec. ;).

For reference: In my test setup it stopped working directly after i remove the radius:ietf-termination attribute. So give it a try.

I have configured below

1. Radius:IETF Session-Timeout = 3600
2. Radius:IETF Termination-Action = RADIUS-Request (1)
3. Radius:IETF Tunnel-Medium-Type = IEEE-802 (6)

But it is not even considering 3600 seconds and doing reauth again and again after on average 80-90 seconds 

The Access switch is Cisco

---

@cppmadmin wrote:
Thanks a lot Marcel. I will try and let you know.

---

Check this cisco document

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/sec-ieee-8021x-rad-supp-sess-t.pdf

Information About IEEE 802.1X RADIUS-Supplied SessionTimeoutIEEE 802.1X RADIUS-Supplied Session Timeout

You can specifywhethera device port uses a locallyconfiguredor a RADIUS-providedreauthenticationtimeout.If the device port is configuredto use the local timeout,it reauthenticatesthe host when the timerexpires.IfthedeviceportisconfiguredtousetheRADIUS-provided timeout,itlooksintheRADIUSAccess-Acceptmessagefor the Session-Timeoutand optionalTermination-Actionattributes.The device port uses the valueof the Session-Timeoutattributeto determinethe duration of the session,and it uses the value of theTermination-Action attribute to determinethe device action when the session’s timer expires.IftheTermination-ActionattributeispresentanditsvalueisRADIUS-Request,the device port reauthenticatesthe host. If the Termination-Actionattributeis not present,or its value is Default,the device port terminatesthe session.

Enforcenment profile which you configured should work, try check if configuration done on switch proper. Document provide configuration part aswell.

Did you configure the radius:IETF Tunnel-Type and radius:IEFT Tunnel-Private-Group-ID? for pushing the vlan. Does the client get an IP?

What is you aaa settings for your cisco switch look like?

Session timeout can be configured on the switch or at the server derivation.

We are not sending vlan as vlan id will be different for each site

Below is our Cisco 9300 config 

interface GigabitEthernet1/0/27

 description ** USER DATA CONNECTIVITY **

 switchport access vlan 219

 switchport mode access

 authentication event server dead action authorize vlan 219

 authentication event server alive action reinitialize

 authentication host-mode multi-domain

 authentication order dot1x mab

 authentication priority dot1x mab

 authentication port-control auto

 authentication timer reauthenticate server

 mab

 storm-control broadcast level 3.00

 storm-control multicast level 3.00

 dot1x pae authenticator

 dot1x timeout tx-period 10

 dot1x timeout supp-timeout 15

 dot1x max-reauth-req 1

 spanning-tree portfast

 spanning-tree bpduguard enable

Ok, without vlan enforcement you dont need the "tunnel-medium-type" attribute.

Last question was not answerd, does your client get an IP address in that 60-90secs?

Your aaa config looks fine to me, but iam not a cisco expert, i learn also from your info ;).

Do you check the wired enforcement policy guide page 128

https://community.arubanetworks.com/aruba/attachments/aruba/CampusSwitching/3907/2/ClearPass_Solution-Guide_Wired-Policy-Enforcement_v2018-01.pdf

yes client gets the IP address everytime . 

We have 3750x's so syntax might be different, but can you run your version of this command?

show authentication sessions interface gi1/0/1

Should see something similar to this (again I don't know how different the 9300s are)

<hostname>#show authentication sessions interface gi1/0/1
Interface: GigabitEthernet1/0/1
MAC Address: <<MAC Address>>
IP Address: Unknown
User-Name: <<Username>>
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-host
Oper control dir: in
Authorized By: Authentication Server
Vlan Policy: 2012
Session timeout: 64800s (server), Remaining: 6883s
Timeout action: Reauthenticate
Idle timeout: N/A
Common Session ID: C0A80A3D00892194FDC2B87B
Acct Session ID: 0x00893301
Handle: 0x3F000689

Runnable methods list:
Method State
dot1x Authc Success
mab Not run

below is the output from our 3750 WS-C3750X-48P and OS is 15.2(4)E7

show authentication sessions interface Gi3/0/30 details
Interface: GigabitEthernet3/0/30
MAC Address: 10e7.c633.a36f
IPv6 Address: Unknown
IPv4 Address: 10.116.35.152
User-Name: test-pc.domain.test
Status: Authorized
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Restart timeout: N/A
Periodic Acct timeout: N/A
Common Session ID: 0A74230500000D606E3799AA
Acct Session ID: 0x00000BFC
Handle: 0xEF000D4F
Current Policy: POLICY_Gi3/0/30

RAdius is only sending Radius:IETF Session-Timeout = 36000

seems port is not taking .

can you share your port config from 3750 . Here we are using multidomain while you are using multi auth

Sure


interface GigabitEthernet1/0/1
description A-02 AP
switchport access vlan 110
switchport mode access
switchport voice vlan 604
authentication control-direction in
authentication host-mode multi-host
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 4
spanning-tree portfast
end

This specific switch is running 15.0, we have another switch running 15.2(4)E6 that is experiencing the same thing you are having, so I'm going to look into that and see what I can find

My BAd 

I was missing the below command

authentication periodic

After adding this command , everything seems to work

Thanks all for your suggestions

Good thats working now. Thanks for your feedback so we can all learn from this! Keep strong (y).

Did you try to set the Radius:IETF:Termination-action = Radius-Request aswell in your enforcement profile?

Hi , i have not set it up . i will set and check . This should work for endpoints doing MAC auth as well ?

---

@mkk wrote:

Did you try to set the Radius:IETF:Termination-action = Radius-Request aswell in your enforcement profile?

---