802.1x + RADIUS Session-Timeout / Termination-Action + Catalyst 2950G

Discussion in 'Cisco' started by Matt, Nov 9, 2004.

  1. Matt

    Matt Guest

    802.1x and Cisco gurus,

    In an Access-Accept RADIUS packet, can Termination-Action and Session-
    Timeout RADIUS attributes be sent to load the 802.1x reauthentication
    timer for the port being authenticated? I've had no problems doing
    this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems to
    ignore the Session-Timeout value being sent from RADIUS. My only
    alternative in to hardcode it in the switch configuration, and that's
    really not an option given our implementation requirements. We've
    found Cisco wireless products (Aeronet) can handle RADIUS supplied
    reauth period, but this Catalyst 2950G wired switch refuses to play
    nice.

    Any help or insight appreciated,

    --Matt

    (If you can, please email ).

    (See RFC 3580, Section 3.17, 3.19 for information of
    Termination-Action / Session-Timeout).
     
    Matt, Nov 9, 2004
    #1
    1. Advertising

  2. Matt

    Thomas K Guest

    Matt,

    AFAIK, you use:
    - wired LANs: you don't need to send back radius attributes (except to
    configure VLANs or QOS maybe), you use dot1x timeout reauth-period in the
    switch itself
    - wireless LANs: you use session-timeout & termination-action

    The reason the wireless APs handle those 2 attributes is they're used to
    force a reauth so encryption keys are renewed ... they are no encryption
    keys on wired 802.1x LANs ;-)

    Cheers,

    T

    "Matt" <> wrote in message
    news:...
    > 802.1x and Cisco gurus,
    >
    > In an Access-Accept RADIUS packet, can Termination-Action and Session-
    > Timeout RADIUS attributes be sent to load the 802.1x reauthentication
    > timer for the port being authenticated? I've had no problems doing
    > this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems to
    > ignore the Session-Timeout value being sent from RADIUS. My only
    > alternative in to hardcode it in the switch configuration, and that's
    > really not an option given our implementation requirements. We've
    > found Cisco wireless products (Aeronet) can handle RADIUS supplied
    > reauth period, but this Catalyst 2950G wired switch refuses to play
    > nice.
    >
    > Any help or insight appreciated,
    >
    > --Matt
    >
    > (If you can, please email ).
    >
    > (See RFC 3580, Section 3.17, 3.19 for information of
    > Termination-Action / Session-Timeout).
     
    Thomas K, Nov 9, 2004
    #2
    1. Advertising

  3. Matt

    Guest

    Re: 802.1x + RADIUS Session-Timeout / Termination-Action + Catalyst 2950G

    Thomas --

    Yes, I understand that wireless would require support for
    Session-Timeout and Termination-Action for rekeying. I'm looking to
    dynamically assign these values, though, on a per-user basis using
    RADIUS attributes in a WIRED environment. It appears Cisco has chosen
    not to fully implement RFC 3580, Section 3.17, 3.19 in their wired
    products -- probably under the same rationale you provide. At least
    that's what I'm wondering if anyone can confirm ... I presume you
    concur with this obversation, no?

    --Matt

    Thomas K wrote:
    > Matt,
    >
    > AFAIK, you use:
    > - wired LANs: you don't need to send back radius attributes (except

    to
    > configure VLANs or QOS maybe), you use dot1x timeout reauth-period in

    the
    > switch itself
    > - wireless LANs: you use session-timeout & termination-action
    >
    > The reason the wireless APs handle those 2 attributes is they're used

    to
    > force a reauth so encryption keys are renewed ... they are no

    encryption
    > keys on wired 802.1x LANs ;-)
    >
    > Cheers,
    >
    > T
    >
    > "Matt" <> wrote in message
    > news:...
    > > 802.1x and Cisco gurus,
    > >
    > > In an Access-Accept RADIUS packet, can Termination-Action and

    Session-
    > > Timeout RADIUS attributes be sent to load the 802.1x

    reauthentication
    > > timer for the port being authenticated? I've had no problems doing
    > > this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems

    to
    > > ignore the Session-Timeout value being sent from RADIUS. My only
    > > alternative in to hardcode it in the switch configuration, and

    that's
    > > really not an option given our implementation requirements. We've
    > > found Cisco wireless products (Aeronet) can handle RADIUS supplied
    > > reauth period, but this Catalyst 2950G wired switch refuses to play
    > > nice.
    > >
    > > Any help or insight appreciated,
    > >
    > > --Matt
    > >
    > > (If you can, please email ).
    > >
    > > (See RFC 3580, Section 3.17, 3.19 for information of
    > > Termination-Action / Session-Timeout).
     
    , Nov 9, 2004
    #3
  4. Matt

    Thomas K Guest

    Re: 802.1x + RADIUS Session-Timeout / Termination-Action + Catalyst 2950G

    Matt,

    There are NO encryption keys on wired environments. So even if you somehow
    could hack that feature, the client workstations (the supplicants) on a
    wired LAN would not encrypt their traffic.
    What exactly are you trying to do ?

    T

    <> wrote in message
    news:...
    > Thomas --
    >
    > Yes, I understand that wireless would require support for
    > Session-Timeout and Termination-Action for rekeying. I'm looking to
    > dynamically assign these values, though, on a per-user basis using
    > RADIUS attributes in a WIRED environment. It appears Cisco has chosen
    > not to fully implement RFC 3580, Section 3.17, 3.19 in their wired
    > products -- probably under the same rationale you provide. At least
    > that's what I'm wondering if anyone can confirm ... I presume you
    > concur with this obversation, no?
    >
    > --Matt
    >
    > Thomas K wrote:
    >> Matt,
    >>
    >> AFAIK, you use:
    >> - wired LANs: you don't need to send back radius attributes (except

    > to
    >> configure VLANs or QOS maybe), you use dot1x timeout reauth-period in

    > the
    >> switch itself
    >> - wireless LANs: you use session-timeout & termination-action
    >>
    >> The reason the wireless APs handle those 2 attributes is they're used

    > to
    >> force a reauth so encryption keys are renewed ... they are no

    > encryption
    >> keys on wired 802.1x LANs ;-)
    >>
    >> Cheers,
    >>
    >> T
    >>
    >> "Matt" <> wrote in message
    >> news:...
    >> > 802.1x and Cisco gurus,
    >> >
    >> > In an Access-Accept RADIUS packet, can Termination-Action and

    > Session-
    >> > Timeout RADIUS attributes be sent to load the 802.1x

    > reauthentication
    >> > timer for the port being authenticated? I've had no problems doing
    >> > this on 3Com, HP, Nortel, etc. workgroup switches but Cisco seems

    > to
    >> > ignore the Session-Timeout value being sent from RADIUS. My only
    >> > alternative in to hardcode it in the switch configuration, and

    > that's
    >> > really not an option given our implementation requirements. We've
    >> > found Cisco wireless products (Aeronet) can handle RADIUS supplied
    >> > reauth period, but this Catalyst 2950G wired switch refuses to play
    >> > nice.
    >> >
    >> > Any help or insight appreciated,
    >> >
    >> > --Matt
    >> >
    >> > (If you can, please email ).
    >> >
    >> > (See RFC 3580, Section 3.17, 3.19 for information of
    >> > Termination-Action / Session-Timeout).

    >
     
    Thomas K, Nov 10, 2004
    #4
  5. Matt

    Guest

    Re: 802.1x + RADIUS Session-Timeout / Termination-Action + Catalyst 2950G

    No, no, I'm definitely _not_ saying WPA/WEP/encryption/etc. or anything
    like that runs on a wired LAN... back up there. I merely want to send
    802.1x reauthentication timers to a Catalyst 2950G switch from RADIUS
    for supplicants being authenticated to switch ports. I don't want
    interface-specific or switch-global timers [as you can do today by
    commands in the switch config] -- I want USER SPECIFIC via RADIUS, as
    outlined in RFC 3580, Section 3.17, 3.19. Is that more clear?
    Specifically, I have a set of users that I want to have VERY aggressive
    802.1x reauthentication timers. Due to the mobility of the users and
    the potential impact on RADIUS, it would be inappropriate for me to set
    these on a port or switch-wide basis. :)

    Thanks,

    --Matt


    Thomas K wrote:
    > Matt,
    >
    > There are NO encryption keys on wired environments. So even if you

    somehow
    > could hack that feature, the client workstations (the supplicants) on

    a
    > wired LAN would not encrypt their traffic.
    > What exactly are you trying to do ?
    >
    > T
    >
    > <> wrote in message
    > news:...
    > > Thomas --
    > >
    > > Yes, I understand that wireless would require support for
    > > Session-Timeout and Termination-Action for rekeying. I'm looking

    to
    > > dynamically assign these values, though, on a per-user basis using
    > > RADIUS attributes in a WIRED environment. It appears Cisco has

    chosen
    > > not to fully implement RFC 3580, Section 3.17, 3.19 in their wired
    > > products -- probably under the same rationale you provide. At

    least
    > > that's what I'm wondering if anyone can confirm ... I presume you
    > > concur with this obversation, no?
    > >
    > > --Matt
    > >
    > > Thomas K wrote:
    > >> Matt,
    > >>
    > >> AFAIK, you use:
    > >> - wired LANs: you don't need to send back radius attributes

    (except
    > > to
    > >> configure VLANs or QOS maybe), you use dot1x timeout reauth-period

    in
    > > the
    > >> switch itself
    > >> - wireless LANs: you use session-timeout & termination-action
    > >>
    > >> The reason the wireless APs handle those 2 attributes is they're

    used
    > > to
    > >> force a reauth so encryption keys are renewed ... they are no

    > > encryption
    > >> keys on wired 802.1x LANs ;-)
    > >>
    > >> Cheers,
    > >>
    > >> T
    > >>
    > >> "Matt" <> wrote in message
    > >> news:...
    > >> > 802.1x and Cisco gurus,
    > >> >
    > >> > In an Access-Accept RADIUS packet, can Termination-Action and

    > > Session-
    > >> > Timeout RADIUS attributes be sent to load the 802.1x

    > > reauthentication
    > >> > timer for the port being authenticated? I've had no problems

    doing
    > >> > this on 3Com, HP, Nortel, etc. workgroup switches but Cisco

    seems
    > > to
    > >> > ignore the Session-Timeout value being sent from RADIUS. My

    only
    > >> > alternative in to hardcode it in the switch configuration, and

    > > that's
    > >> > really not an option given our implementation requirements.

    We've
    > >> > found Cisco wireless products (Aeronet) can handle RADIUS

    supplied
    > >> > reauth period, but this Catalyst 2950G wired switch refuses to

    play
    > >> > nice.
    > >> >
    > >> > Any help or insight appreciated,
    > >> >
    > >> > --Matt
    > >> >
    > >> > (If you can, please email ).
    > >> >
    > >> > (See RFC 3580, Section 3.17, 3.19 for information of
    > >> > Termination-Action / Session-Timeout).

    > >
     
    , Nov 10, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oli
    Replies:
    3
    Views:
    905
  2. AdminKen

    Microsoft IAS Radius and session timeout setting

    AdminKen, Apr 4, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    4,260
    kapil [MSFT]
    Apr 7, 2005
  3. kalim
    Replies:
    0
    Views:
    1,123
    kalim
    Jul 12, 2007
  4. Horsy
    Replies:
    2
    Views:
    859
  5. Merlin
    Replies:
    0
    Views:
    1,558
    Merlin
    Jan 2, 2010
Loading...

Share This Page