Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 802.1x + RADIUS Session-Timeout / Termination-Action + Catalyst 2950G

Reply
Thread Tools

802.1x + RADIUS Session-Timeout / Termination-Action + Catalyst 2950G

 
 
Matt
Guest
Posts: n/a
 
      11-09-2004
802.1x and Cisco gurus,

In an Access-Accept RADIUS packet, can Termination-Action and Session-
Timeout RADIUS attributes be sent to load the 802.1x reauthentication
timer for the port being authenticated? I've had no problems doing
this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems to
ignore the Session-Timeout value being sent from RADIUS. My only
alternative in to hardcode it in the switch configuration, and that's
really not an option given our implementation requirements. We've
found Cisco wireless products (Aeronet) can handle RADIUS supplied
reauth period, but this Catalyst 2950G wired switch refuses to play
nice.

Any help or insight appreciated,

--Matt

(If you can, please email http://www.velocityreviews.com/forums/(E-Mail Removed)).

(See RFC 3580, Section 3.17, 3.19 for information of
Termination-Action / Session-Timeout).
 
Reply With Quote
 
 
 
 
Thomas K
Guest
Posts: n/a
 
      11-09-2004
Matt,

AFAIK, you use:
- wired LANs: you don't need to send back radius attributes (except to
configure VLANs or QOS maybe), you use dot1x timeout reauth-period in the
switch itself
- wireless LANs: you use session-timeout & termination-action

The reason the wireless APs handle those 2 attributes is they're used to
force a reauth so encryption keys are renewed ... they are no encryption
keys on wired 802.1x LANs

Cheers,

T

"Matt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> 802.1x and Cisco gurus,
>
> In an Access-Accept RADIUS packet, can Termination-Action and Session-
> Timeout RADIUS attributes be sent to load the 802.1x reauthentication
> timer for the port being authenticated? I've had no problems doing
> this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems to
> ignore the Session-Timeout value being sent from RADIUS. My only
> alternative in to hardcode it in the switch configuration, and that's
> really not an option given our implementation requirements. We've
> found Cisco wireless products (Aeronet) can handle RADIUS supplied
> reauth period, but this Catalyst 2950G wired switch refuses to play
> nice.
>
> Any help or insight appreciated,
>
> --Matt
>
> (If you can, please email (E-Mail Removed)).
>
> (See RFC 3580, Section 3.17, 3.19 for information of
> Termination-Action / Session-Timeout).



 
Reply With Quote
 
 
 
 
mhite@hotmail.com
Guest
Posts: n/a
 
      11-09-2004
Thomas --

Yes, I understand that wireless would require support for
Session-Timeout and Termination-Action for rekeying. I'm looking to
dynamically assign these values, though, on a per-user basis using
RADIUS attributes in a WIRED environment. It appears Cisco has chosen
not to fully implement RFC 3580, Section 3.17, 3.19 in their wired
products -- probably under the same rationale you provide. At least
that's what I'm wondering if anyone can confirm ... I presume you
concur with this obversation, no?

--Matt

Thomas K wrote:
> Matt,
>
> AFAIK, you use:
> - wired LANs: you don't need to send back radius attributes (except

to
> configure VLANs or QOS maybe), you use dot1x timeout reauth-period in

the
> switch itself
> - wireless LANs: you use session-timeout & termination-action
>
> The reason the wireless APs handle those 2 attributes is they're used

to
> force a reauth so encryption keys are renewed ... they are no

encryption
> keys on wired 802.1x LANs
>
> Cheers,
>
> T
>
> "Matt" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > 802.1x and Cisco gurus,
> >
> > In an Access-Accept RADIUS packet, can Termination-Action and

Session-
> > Timeout RADIUS attributes be sent to load the 802.1x

reauthentication
> > timer for the port being authenticated? I've had no problems doing
> > this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems

to
> > ignore the Session-Timeout value being sent from RADIUS. My only
> > alternative in to hardcode it in the switch configuration, and

that's
> > really not an option given our implementation requirements. We've
> > found Cisco wireless products (Aeronet) can handle RADIUS supplied
> > reauth period, but this Catalyst 2950G wired switch refuses to play
> > nice.
> >
> > Any help or insight appreciated,
> >
> > --Matt
> >
> > (If you can, please email (E-Mail Removed)).
> >
> > (See RFC 3580, Section 3.17, 3.19 for information of
> > Termination-Action / Session-Timeout).


 
Reply With Quote
 
Thomas K
Guest
Posts: n/a
 
      11-10-2004
Matt,

There are NO encryption keys on wired environments. So even if you somehow
could hack that feature, the client workstations (the supplicants) on a
wired LAN would not encrypt their traffic.
What exactly are you trying to do ?

T

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Thomas --
>
> Yes, I understand that wireless would require support for
> Session-Timeout and Termination-Action for rekeying. I'm looking to
> dynamically assign these values, though, on a per-user basis using
> RADIUS attributes in a WIRED environment. It appears Cisco has chosen
> not to fully implement RFC 3580, Section 3.17, 3.19 in their wired
> products -- probably under the same rationale you provide. At least
> that's what I'm wondering if anyone can confirm ... I presume you
> concur with this obversation, no?
>
> --Matt
>
> Thomas K wrote:
>> Matt,
>>
>> AFAIK, you use:
>> - wired LANs: you don't need to send back radius attributes (except

> to
>> configure VLANs or QOS maybe), you use dot1x timeout reauth-period in

> the
>> switch itself
>> - wireless LANs: you use session-timeout & termination-action
>>
>> The reason the wireless APs handle those 2 attributes is they're used

> to
>> force a reauth so encryption keys are renewed ... they are no

> encryption
>> keys on wired 802.1x LANs
>>
>> Cheers,
>>
>> T
>>
>> "Matt" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) om...
>> > 802.1x and Cisco gurus,
>> >
>> > In an Access-Accept RADIUS packet, can Termination-Action and

> Session-
>> > Timeout RADIUS attributes be sent to load the 802.1x

> reauthentication
>> > timer for the port being authenticated? I've had no problems doing
>> > this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems

> to
>> > ignore the Session-Timeout value being sent from RADIUS. My only
>> > alternative in to hardcode it in the switch configuration, and

> that's
>> > really not an option given our implementation requirements. We've
>> > found Cisco wireless products (Aeronet) can handle RADIUS supplied
>> > reauth period, but this Catalyst 2950G wired switch refuses to play
>> > nice.
>> >
>> > Any help or insight appreciated,
>> >
>> > --Matt
>> >
>> > (If you can, please email (E-Mail Removed)).
>> >
>> > (See RFC 3580, Section 3.17, 3.19 for information of
>> > Termination-Action / Session-Timeout).

>



 
Reply With Quote
 
mhite@hotmail.com
Guest
Posts: n/a
 
      11-10-2004
No, no, I'm definitely _not_ saying WPA/WEP/encryption/etc. or anything
like that runs on a wired LAN... back up there. I merely want to send
802.1x reauthentication timers to a Catalyst 2950G switch from RADIUS
for supplicants being authenticated to switch ports. I don't want
interface-specific or switch-global timers [as you can do today by
commands in the switch config] -- I want USER SPECIFIC via RADIUS, as
outlined in RFC 3580, Section 3.17, 3.19. Is that more clear?
Specifically, I have a set of users that I want to have VERY aggressive
802.1x reauthentication timers. Due to the mobility of the users and
the potential impact on RADIUS, it would be inappropriate for me to set
these on a port or switch-wide basis.

Thanks,

--Matt


Thomas K wrote:
> Matt,
>
> There are NO encryption keys on wired environments. So even if you

somehow
> could hack that feature, the client workstations (the supplicants) on

a
> wired LAN would not encrypt their traffic.
> What exactly are you trying to do ?
>
> T
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
> > Thomas --
> >
> > Yes, I understand that wireless would require support for
> > Session-Timeout and Termination-Action for rekeying. I'm looking

to
> > dynamically assign these values, though, on a per-user basis using
> > RADIUS attributes in a WIRED environment. It appears Cisco has

chosen
> > not to fully implement RFC 3580, Section 3.17, 3.19 in their wired
> > products -- probably under the same rationale you provide. At

least
> > that's what I'm wondering if anyone can confirm ... I presume you
> > concur with this obversation, no?
> >
> > --Matt
> >
> > Thomas K wrote:
> >> Matt,
> >>
> >> AFAIK, you use:
> >> - wired LANs: you don't need to send back radius attributes

(except
> > to
> >> configure VLANs or QOS maybe), you use dot1x timeout reauth-period

in
> > the
> >> switch itself
> >> - wireless LANs: you use session-timeout & termination-action
> >>
> >> The reason the wireless APs handle those 2 attributes is they're

used
> > to
> >> force a reauth so encryption keys are renewed ... they are no

> > encryption
> >> keys on wired 802.1x LANs
> >>
> >> Cheers,
> >>
> >> T
> >>
> >> "Matt" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed) om...
> >> > 802.1x and Cisco gurus,
> >> >
> >> > In an Access-Accept RADIUS packet, can Termination-Action and

> > Session-
> >> > Timeout RADIUS attributes be sent to load the 802.1x

> > reauthentication
> >> > timer for the port being authenticated? I've had no problems

doing
> >> > this on 3Com, HP, Nortel, etc. workgroup switches but Cisco

seems
> > to
> >> > ignore the Session-Timeout value being sent from RADIUS. My

only
> >> > alternative in to hardcode it in the switch configuration, and

> > that's
> >> > really not an option given our implementation requirements.

We've
> >> > found Cisco wireless products (Aeronet) can handle RADIUS

supplied
> >> > reauth period, but this Catalyst 2950G wired switch refuses to

play
> >> > nice.
> >> >
> >> > Any help or insight appreciated,
> >> >
> >> > --Matt
> >> >
> >> > (If you can, please email (E-Mail Removed)).
> >> >
> >> > (See RFC 3580, Section 3.17, 3.19 for information of
> >> > Termination-Action / Session-Timeout).

> >


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Configure RIP on Cisco 2950G-L3 tman Cisco 7 12-23-2008 09:07 PM
Connecting 2 2950G's via Fibre GBICs wally Cisco 8 03-28-2006 04:31 PM
2950G duplex bug? edavid3001@gmail.com Cisco 2 06-14-2005 02:48 PM
crc errors on a 2950G - 3750 link Trent Collicutt Cisco 12 05-07-2004 12:42 PM
Troubleshooting errors on 2950G interface, need help Ole Vik Cisco 3 11-05-2003 01:57 PM



Advertisments