1748089 Members
4937 Online
108758 Solutions
New Discussion

802.1x authentication - authenticated users not sonsitently showing as online

 
SOLVED
Go to solution
NeilR
Esteemed Contributor

802.1x authentication - authenticated users not sonsitently showing as online

I currently run 802.1x wired on all user access ports (HP 2910). I have need to extend the network past

the access switch using a small switch (HP 2915) in some areas of the shop. These ports use the same 802

config, same radius server etc.

 

As I don't want to leave open ports, I use the supplicant on the 2915 to authenticate against an access

service in imc. The users have another imc access service.

 

When i check via terminal, the user will show as authenticated on either 2910 or 2915, has been assigned

the correct vlan, and is able to access the network.

 

The problem is that users do not show up consistently as online in imc. I can toggle a user's interface

enabled/disabled - Some show up right away, others don't.

 

Sometimes the 2910 is more reliable and the 2915 less so, but not consistently.

 

Its good that authentication is seemingly taking place reliably but tracking users is an important

management and troubleshooting task.

 

Perhaps the iMC server performance or db performance is an issue?

 

Is rapid toggling of user state causing the db to lag?

 

Are there radius accounting settings that might help? Any other suggestions?

thx!

16 REPLIES 16
Pack3tL0ss
Valued Contributor
Solution

Re: 802.1x authentication - authenticated users not sonsitently showing as online

Neil,

 

Accounting is likely the crucial bit here.  UAM will send an access accept, IMC will then wait for an accounting packet for that user, and if it gets the appropriate accounting packet the user will then show online.  By default UAM will wait 5 seconds for the accounting packet after it sends the Access Accept.

 

I have seen this inconsistent behavior on some clients that take longer, for whatever reason, to send the accounting packet.  Fortunately the "Authentication Lock Time" (Amount of time UAM will wait for the initial accounting packet from an authenticated user) is adjustable.

 

User-->User Access Policy-->Service Parameters-->System Settings-->System Parameters...

Top Right field should be "Authentication Lock Time(Seconds) which I believe is defaulted to 5, mine is set to 15 as I was seeing the same inconsistency you were.  A packet trace run on the IMC server, filtered on radius, could confirm... The Time between the access accept and the accounting packet... if it's longer than that setting then the user will not show online.

 

 

Hope it helps,

PL

NeilR
Esteemed Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

This was the problem or at least one aspect of it. ImC seems to detect user log in and log out consistently.

 

However, I noticed if I sign in with same username more than once on the same switch I onlly see 1 entry for that user. If I log in more than once across different devices I see the correct number of entries.

 

I'm hoping this will solve the problem when the reauth period expires and the switch requests reauthentication. So far my users "drop off" imc after some period - I'm not sure since its overnight usually when I'm working on this.

 

Think that would be related to the same setting or is there something else going on.

 

thanks!

 

PS - it appears that users synched from LDAP are showing up. But local users created on imc only show up once as logged in. After that not shown as on line, even though they are shown authenticated on the switch.

NeilR
Esteemed Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

So looks like the change to Authentication Lock Time has reoslved the issue of users showing as auth'd on both primary and subsidairy access switches, both as changes occur and over time.

 

I'm set at 20 secs. Is there a downside to too long?

 

The description of this parameter would not have led me to see that as the solution, but makes me wonder about too long a period:

 

  • Authentication Lock Time: A time range from the time the user is authorized to the accounting start time in which the authenticated user cannot be reauthenticated.

 

 

Still have issue with non LDAP users not showing up as logged in.

Pack3tL0ss
Valued Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

Yeah, it doesn't come right out and say that the setting can impact a users online status.  If a accounting packet comes in after the lock time has expired, that user won't show as online.

 

I don't see much of a down-side to bumping it up, it only locks that user.  So once user 'bob' has succesfully authenticated, for 20 seconds he is not allowed to re-authenticate, actually it's probably 20 seconds or however long it takes for the initial accounting packet to be sent.  I would imagine the timer goes away once the accounting packet comes in.

 

The only potential down-side I could think of is if a user authenticating wireless connects to an AP and authenticates and gets online, but roams to a new AP before the initial accounting packet is received by IMC.  I believe when that user roams another authentication request is made.  I think the likelihood is fairly low.  On the HP 830 wireless controller, the accounting packet was coming in after about 9 seconds.

 

By non-LDAP users, you mean they are configured directly in IMC?  I would run wireshark on the IMC server, filter by radius (and the IP of the access device if you have a lot) and see if you are seeing the Accounting packet come in after the access accept.

NeilR
Esteemed Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

Yes - those users configured directly in imc. In most cases I synched them via LDAP then unbound them because they were using MD5 challenge and for some reason LDAP won't accept an MD5 challenge - even though it can be configured in the services. Setting passwords later.

 

Have not yet w/s but I see the accouting and authtnication success for these users in the radius track feature under Users/ Access Log

 

UPDATE: WIreshark confirms that for these users the delay can be anywhere from 10  to 45 secs or so. I have set for a minute now and they are now showing up in the logged in users area.

 

THe LDAP authetnicated users seem to generate accoutning packets quicker, but still variable - not sure why

 

thx

NeilR
Esteemed Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

The on-line users are still inconsistent.  After serveral days its only displaying 3 of 8 users previously shown as on-line.

 

BUt if I log into the access devices I can see all of them as shown authenticated.

 

And its not by switch - on the same switch I have both visible and invisible users to imc.

 

Any ideas?

 

Increase the authentication lock time? its set at 60 right now.

NeilR
Esteemed Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

Increased to lock time to 90 secs. Seems to have helped the mac authenticated printers, phones and non LDAP users stay logged in over night.

 

However the LDAP users have disappeared. NAS error in the Access Details log:

 

Access Duration:    23Hr59Min59Sec                Offline Cause:     Nas Error

 

Which happens to correspond to the Max Session duration. However this doesn't really log people off - just closes out their session information.

 

Have I overidden the lock out somewhere else?

 

Value can be from zero(unlimited?) to 315360000 (ten years) - ten years will exceed my time here most likely so that will work....

 

 

Pack3tL0ss
Valued Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

I'd never ran across that, I tested it in the lab and setting it to 0 is apparently not = unlimited.  Once I killed the connections for all the clients none of them could get back on.  I set it to 315360000 and they immediately started connecting again.

 

I expect the feature is there as a security mechanism, essentially making clients re-authenticate after 24 hours, but it sounds like the way you are describing it, it's not sending a disconnect to the device, so the client still thinks the session is active and doesn't know to authenticate again.

 

If I get the chance I'll set it to a lower number and capture packets to see if UAM is sending a radius disconnect when it hits the timer.

 

 

NeilR
Esteemed Contributor

Re: 802.1x authentication - authenticated users not sonsitently showing as online

no 0 is not unlimited, unlike some other settings in imc (one of my frustrations - inconsistent implementation). 

 

I'm re-authing the ports at the switch level every 2 hours if that has any bearing. But I don't recall ever being denied access or cut off.

 

Since updating the setting to the max value, I now have some user sessions at 26 hours. Sessions under way when the value was changed expired at the 24 hour mark.