- Community Home
- >
- Networking
- >
- IMC
- >
- Re: 802.1x authentication - authenticated users no...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-29-2014 06:33 PM
09-29-2014 06:33 PM
I currently run 802.1x wired on all user access ports (HP 2910). I have need to extend the network past
the access switch using a small switch (HP 2915) in some areas of the shop. These ports use the same 802
config, same radius server etc.
As I don't want to leave open ports, I use the supplicant on the 2915 to authenticate against an access
service in imc. The users have another imc access service.
When i check via terminal, the user will show as authenticated on either 2910 or 2915, has been assigned
the correct vlan, and is able to access the network.
The problem is that users do not show up consistently as online in imc. I can toggle a user's interface
enabled/disabled - Some show up right away, others don't.
Sometimes the 2910 is more reliable and the 2915 less so, but not consistently.
Its good that authentication is seemingly taking place reliably but tracking users is an important
management and troubleshooting task.
Perhaps the iMC server performance or db performance is an issue?
Is rapid toggling of user state causing the db to lag?
Are there radius accounting settings that might help? Any other suggestions?
thx!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2014 10:49 AM
10-01-2014 10:49 AM
SolutionNeil,
Accounting is likely the crucial bit here. UAM will send an access accept, IMC will then wait for an accounting packet for that user, and if it gets the appropriate accounting packet the user will then show online. By default UAM will wait 5 seconds for the accounting packet after it sends the Access Accept.
I have seen this inconsistent behavior on some clients that take longer, for whatever reason, to send the accounting packet. Fortunately the "Authentication Lock Time" (Amount of time UAM will wait for the initial accounting packet from an authenticated user) is adjustable.
User-->User Access Policy-->Service Parameters-->System Settings-->System Parameters...
Top Right field should be "Authentication Lock Time(Seconds) which I believe is defaulted to 5, mine is set to 15 as I was seeing the same inconsistency you were. A packet trace run on the IMC server, filtered on radius, could confirm... The Time between the access accept and the accounting packet... if it's longer than that setting then the user will not show online.
Hope it helps,
PL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2014 02:27 PM - edited 10-01-2014 05:58 PM
10-01-2014 02:27 PM - edited 10-01-2014 05:58 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
This was the problem or at least one aspect of it. ImC seems to detect user log in and log out consistently.
However, I noticed if I sign in with same username more than once on the same switch I onlly see 1 entry for that user. If I log in more than once across different devices I see the correct number of entries.
I'm hoping this will solve the problem when the reauth period expires and the switch requests reauthentication. So far my users "drop off" imc after some period - I'm not sure since its overnight usually when I'm working on this.
Think that would be related to the same setting or is there something else going on.
thanks!
PS - it appears that users synched from LDAP are showing up. But local users created on imc only show up once as logged in. After that not shown as on line, even though they are shown authenticated on the switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2014 12:36 PM
10-03-2014 12:36 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
So looks like the change to Authentication Lock Time has reoslved the issue of users showing as auth'd on both primary and subsidairy access switches, both as changes occur and over time.
I'm set at 20 secs. Is there a downside to too long?
The description of this parameter would not have led me to see that as the solution, but makes me wonder about too long a period:
- Authentication Lock Time: A time range from the time the user is authorized to the accounting start time in which the authenticated user cannot be reauthenticated.
Still have issue with non LDAP users not showing up as logged in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-03-2014 07:16 PM
10-03-2014 07:16 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
Yeah, it doesn't come right out and say that the setting can impact a users online status. If a accounting packet comes in after the lock time has expired, that user won't show as online.
I don't see much of a down-side to bumping it up, it only locks that user. So once user 'bob' has succesfully authenticated, for 20 seconds he is not allowed to re-authenticate, actually it's probably 20 seconds or however long it takes for the initial accounting packet to be sent. I would imagine the timer goes away once the accounting packet comes in.
The only potential down-side I could think of is if a user authenticating wireless connects to an AP and authenticates and gets online, but roams to a new AP before the initial accounting packet is received by IMC. I believe when that user roams another authentication request is made. I think the likelihood is fairly low. On the HP 830 wireless controller, the accounting packet was coming in after about 9 seconds.
By non-LDAP users, you mean they are configured directly in IMC? I would run wireshark on the IMC server, filter by radius (and the IP of the access device if you have a lot) and see if you are seeing the Accounting packet come in after the access accept.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2014 06:14 PM - edited 10-08-2014 02:19 PM
10-07-2014 06:14 PM - edited 10-08-2014 02:19 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
Yes - those users configured directly in imc. In most cases I synched them via LDAP then unbound them because they were using MD5 challenge and for some reason LDAP won't accept an MD5 challenge - even though it can be configured in the services. Setting passwords later.
Have not yet w/s but I see the accouting and authtnication success for these users in the radius track feature under Users/ Access Log
UPDATE: WIreshark confirms that for these users the delay can be anywhere from 10 to 45 secs or so. I have set for a minute now and they are now showing up in the logged in users area.
THe LDAP authetnicated users seem to generate accoutning packets quicker, but still variable - not sure why
thx
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-13-2014 03:53 PM
10-13-2014 03:53 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
The on-line users are still inconsistent. After serveral days its only displaying 3 of 8 users previously shown as on-line.
BUt if I log into the access devices I can see all of them as shown authenticated.
And its not by switch - on the same switch I have both visible and invisible users to imc.
Any ideas?
Increase the authentication lock time? its set at 60 right now.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-14-2014 05:04 PM
10-14-2014 05:04 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
Increased to lock time to 90 secs. Seems to have helped the mac authenticated printers, phones and non LDAP users stay logged in over night.
However the LDAP users have disappeared. NAS error in the Access Details log:
Access Duration: 23Hr59Min59Sec Offline Cause: Nas Error
Which happens to correspond to the Max Session duration. However this doesn't really log people off - just closes out their session information.
Have I overidden the lock out somewhere else?
Value can be from zero(unlimited?) to 315360000 (ten years) - ten years will exceed my time here most likely so that will work....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2014 04:24 PM - edited 10-15-2014 04:25 PM
10-15-2014 04:24 PM - edited 10-15-2014 04:25 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
I'd never ran across that, I tested it in the lab and setting it to 0 is apparently not = unlimited. Once I killed the connections for all the clients none of them could get back on. I set it to 315360000 and they immediately started connecting again.
I expect the feature is there as a security mechanism, essentially making clients re-authenticate after 24 hours, but it sounds like the way you are describing it, it's not sending a disconnect to the device, so the client still thinks the session is active and doesn't know to authenticate again.
If I get the chance I'll set it to a lower number and capture packets to see if UAM is sending a radius disconnect when it hits the timer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-15-2014 06:37 PM
10-15-2014 06:37 PM
Re: 802.1x authentication - authenticated users not sonsitently showing as online
no 0 is not unlimited, unlike some other settings in imc (one of my frustrations - inconsistent implementation).
I'm re-authing the ports at the switch level every 2 hours if that has any bearing. But I don't recall ever being denied access or cut off.
Since updating the setting to the max value, I now have some user sessions at 26 hours. Sessions under way when the value was changed expired at the 24 hour mark.