HPE Community
Comware Based
1832531 Members
7868 Online
110043 Solutions
New Discussion

Cisco ACS RADIUS attributes with HP Switches behavior

 
mitm2010
Occasional Contributor

‎08-28-2016 10:54 AM

‎08-28-2016 10:54 AM

Cisco ACS RADIUS attributes with HP Switches behavior

Hello,

The last week I was with the HPE network team to configure HP switches (COMWARE) with our Cisco ACS used for RADIUS services.

We encountered a problem that opened a big discussion and debate, that I appreciated, with a great team of HPE network engineers

  1. In the production environment, we have already Cisco switches configured with our Cisco ACS 5.4 and working fine.
  2. The only configured RADIUS IETF attributes are described in the screenshot.
With these configurations IP Phone and Printers are working fine with Cisco switches.

When we add the HP switch to this ACS, the IP Phone and Printers used for testing are successfully authenticated and immediately disconnected!!

 But when we delete the “session-timeout” and “Termination-Action” attributes, the IP Phone and the Printer are authenticated and still connected to the network.

 

The RFC 3580 says that:

   When sent along in an Access-Accept without a Termination-Action

   attribute or with a Termination-Action attribute set to Default, the

   Session-Timeout attribute specifies the maximum number of seconds of

   service provided prior to session termination.

   When sent in an Access-Accept along with a Termination-Action value

   of RADIUS-Request, the Session-Timeout attribute specifies the

   maximum number of seconds of service provided prior to re-

   authentication.  In this case, the Session-Timeout attribute is used

   to load the reAuthPeriod constant within the Reauthentication Timer

   state machine of 802.1X.  When sent with a Termination-Action value

   of RADIUS-Request, a Session-Timeout value of zero indicates the

   desire to perform another authentication (possibly of a different

   type) immediately after the first authentication has successfully

   completed.

   When sent in an Access-Challenge, this attribute represents the

   maximum number of seconds that an IEEE 802.1X Authenticator should

   wait for an EAP-Response before retransmitting.  In this case, the

   Session-Timeout attribute is used to load the suppTimeout constant

   within the backend state machine of IEEE 802.1X.

 

My questions are:

  1. Why Cisco switches are working fine with the “session-timeout=0” and “termination action=Default” attributes?
  2. Why we need to delete these parameters for devices (IP Phone and printer) to be working fine with the HP switches?

Please help us!

 Thank you for your replies.

 Best regards.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.