IEEE 802.1X RADIUS-Supplied Session Timeout

The IEEE 802.1X RADIUS-Supplied Session Timeout feature allows a device port to be specified to use either a locally configured or a RADIUS-provided reauthentication timeout.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for IEEE 802.1X RADIUS-Supplied Session Timeout

The following tasks must be completed before implementing the IEEE 802.1X RADIUS-Supplied Session feature:

  • IEEE 802.1X must be enabled on the device port.

  • The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs).

  • EAP support must be enabled on the RADIUS server.

  • You must configure the IEEE 802.1X supplicant to send an EAP-logoff (Stop) message to the switch when the user logs off. If you do not configure the IEEE 802.1X supplicant, an EAP-logoff message is not sent to the switch and the accompanying accounting Stop message is not sent to the authentication server. See the Microsoft Knowledge Base article at the location http:/​/​support.microsoft.com and set the SupplicantMode registry to 3 and the AuthMode registry to 1.

  • Authentication, authorization, and accounting (AAA) must be configured on the port for all network-related service requests. The authentication method list must be enabled and specified. A method list describes the sequence and authentication method to be queried to authenticate a user. See the IEEE 802.1X Authenticator feature module for information.

  • The port must be successfully authenticated.

The IEEE 802.1X RADIUS-Supplied Session feature is available only on Cisco 89x and 88x series integrated switching routers (ISRs) that support switch ports.

The following ISR-G2 routers are supported:

  • 1900

  • 2900

  • 3900

  • 3900e

The following cards or modules support switch ports:

  • Enhanced High-speed WAN interface cards (EHWICs) with ACL support:

    • EHWIC-4ESG-P

    • EHWIC-9ESG-P

    • EHWIC-4ESG

    • EHWIC-9ESG

  • High-speed WAN interface cards (HWICs) without ACL support:

    • HWIC-4ESW-P

    • HWIC-9ESW-P

    • HWIC-4ESW

    • HWIC-9ES


Note

Not all Cisco ISR routers support all the components listed. For information about module compatibility with a specific router platform, see Cisco EtherSwitch Modules Comparison.

To determine whether your router has switch ports that can be configured with the IEEE 802.1X port-based authentication feature, use the show interfaces switchport command.

Restrictions for IEEE 802.1X RADIUS-Supplied Session Timeout

  • The IEEE 802.1X RADIUS-Supplied Session Timeout feature is available only on a Cisco ISR switch port.

  • This feature does not support standard ACLs on the switch port.

Information About IEEE 802.1X RADIUS-Supplied Session Timeout

IEEE 802.1X RADIUS-Supplied Session Timeout

You can specify whether a device port uses a locally configured or a RADIUS-provided reauthentication timeout. If the device port is configured to use the local timeout, it reauthenticates the host when the timer expires.

If the device port is configured to use the RADIUS-provided timeout, it looks in the RADIUS Access-Accept message for the Session-Timeout and optional Termination-Action attributes. The device port uses the value of the Session-Timeout attribute to determine the duration of the session, and it uses the value of the Termination-Action attribute to determine the device action when the session’s timer expires.

If the Termination-Action attribute is present and its value is RADIUS-Request, the device port reauthenticates the host. If the Termination-Action attribute is not present, or its value is Default, the device port terminates the session.


Note

The supplicant on the port detects that its session has been terminated and attempts to initiate a new session. Unless the authentication server treats this new session differently, the supplicant may see only a brief interruption in network connectivity as the device sets up a new session.

If the device port is configured to use the RADIUS-supplied timeout, but the Access-Accept message does not include a Session-Timeout attribute, the device port never reauthenticates the supplicant. This behavior is consistent with Cisco’s wireless access points.

How to Configure IEEE 802.1X RADIUS-Supplied Session Timeout

Configuring IEEE 802.1X RADIUS-Supplied Session Timeout

Before You Begin


Note

This section describes IEEE 802.1X security features available only on the switch ports in a Cisco ISR.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type slot/port

    4.    switchport mode access

    5.    dot1x pae authenticator

    6.    dot1x timeout reauth-period seconds

    7.    end

    8.    show dot1x interface


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type slot/port


    Example:
    Device(config-if)# interface fastethernet 7/1
     

    Enters interface configuration mode.

     
    Step 4 switchport mode access


    Example:
    Device(config-if)# switchport mode access
     

    Specifies a nontrunking, nontagged single VLAN Layer 2 interface.

     
    Step 5 dot1x pae authenticator


    Example:
    Device(config-if)# dot1x pae authenticator
     

    Specifies the Port Access Entity (PAE) type so that the interface acts only as an authenticator and does not respond to any messages meant for a supplicant.

     
    Step 6 dot1x timeout reauth-period seconds


    Example:
    Device(config)# dot1x timeout reauth-period 4000
     

    Sets the re-authentication period (seconds).

     
    Step 7 end


    Example:
    Device(config)# end
     

    Returns to privileged EXEC mode.

     
    Step 8 show dot1x interface


    Example:
    Device(config)# show dot1x interface fastethernet 7/1 det
     

    Verifies your entries.

     

    Configuration Example for IEEE 802.1X RADIUS-Supplied Session Timeout

    Example Configuring IEEE 802.1X RADIUS-Supplied Session Timeout

    The following example shows how to configure the switch to derive the re-authentication period from the server and to verify the configuration: 

    Device# configure terminal
Device(config)# interface fastethernet 7/1
Device(config-if)# switchport mode access
Device(config-if)# dot1x pae authenticator
Device(config-if)# dot1x timeout reauth-period server
Device(config-if)# end
Device# show dot1x interface fastethernet 7/1 details

Dot1x Info for FastEthernet7/11
-----------------------------------
PAE                       = AUTHENTICATOR
PortControl               = FORCE_AUTHORIZED
ControlDirection          = Both 
HostMode                  = SINGLE_HOST
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = (From Authentication Server)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
Dot1x Authenticator Client List Empty
Port Status               = AUTHORIZED

    Additional References for IEEE 802.1X Port-Based Authentication

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    Security commands

    Standards and RFCs

    Standard/RFC Title

    IEEE 802.1X

    Port Based Network Access Control

    RFC 3580

    IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines

    MIBs

    MIB

    MIBs Link

    • Cisco-PAE-MIB

    • IEEE8021-PAE-MIB

    To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

    http:/​/​www.cisco.com/​go/​mibs

    Technical Assistance

    Description

    Link

    The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

    Feature Information for IEEE 802.1X RADIUS-Supplied Session Timeout

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.
    Table 1 Feature Information for IEEE 802.1X RADIUS-Supplied Session Timeout

    Feature Name

    Releases

    Feature Information

    IEEE 802.1X RADIUS-Supplied Session Timeout

    12.4(11)T

    The IEEE 802.1X RADIUS-Supplied Session Timeout feature allows a switch port to be specified to use either a locally configured or a RADIUS-provided reauthentication timeout.