Header Only - DO NOT REMOVE - Extreme Networks

EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout


Userlevel 6
Hi,

i want trigger reauth of printers via RADIUS Session Timeout Attribute. Because i have X440-G1 switches i do not use the policy framework. EXOS 16.1.4.2-Patch-1-3. I use the standard RADIUS Attribute Session-Timeout, with value of 604800.

604800 secs is 1 time a week - this is enough for this demand - and i want to avoid unnecessary communication breaks based on reauth.

If i use a short period let's say 5 minutes (for testing purpose) it works - but this long term period seem not to work.

Unfortunately there is no information which is the largest possible value. Does anybody know this for X440-G1.

Same question is regarding Value of RADIUS Attribute Idle-Timeout !

Best Regards

12 replies

Userlevel 3
According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.
Userlevel 6
Hagemann, Olaf wrote:

According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.

Hi Olaf,

that's not really long ...

For my demand it is not usable then. I wish i had G2 switches there - OnePolicy Framework (netlogin) all using higher values (- i believe).

So because we cannot change this - i have to look for another solution.

Maybe Product Manager will equalize that within G1 and G2 possibilities (because i believe that is only a software limitation).

Do you know anything about the allowed idle-timeout ?

Regards,
Matthias
Userlevel 3
Hagemann, Olaf wrote:

According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.

If you mean after which period of time a client is removed when sending no pakets, this is bound to the FDB aging timer. Or what exactly do you mean by idle-timeout?

Cheers
Olaf
Userlevel 6
Hagemann, Olaf wrote:

According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.

i mean first.
For an example Printers or phones are sending no packets for longer than the standard fdb/netlogin timer of 5 minutes is. So i want extend this to lets so 2hours.

This is very smart if i do that with RADIUS Attribute Idle-Timeout.

So what is the maximum value of this regarding G1 Switches ?
Userlevel 6
Hagemann, Olaf wrote:

According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.

OK Olaf - i though twice a time about me question - you tell me already in EXOS G1 Idle timeout of a netlogin session is bind to the FDB aging time. If i increase fdb aging time is also ingress netlogin idle-timeout.

Looking at manual i see a wide range of 15 to 1,000,000 seconds. Thats OK!

I was happy if session timeout maybe also get this wide range in future EXOS ...

Thanks for clarify that!

Regards
Userlevel 3
Hagemann, Olaf wrote:

According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.

No idea. Sorry! I am not even sure if this works at all. The only method I have been using in those kind of scenarios was adjusting the FDB aging timer. Maybe someone else has tested this before.
Userlevel 3
Hagemann, Olaf wrote:

According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.

You could try session refresh timer which is upt to 3600 seconds. But that would also require adjusting FDB aging timer.
Userlevel 6
One general hint to all who are playing around with this:

If you wants to check which is possible on EXOS G1 switches (regarding netlogin) you have to look at manuals pre EXOS 16.1.

Starting with EXOS 16.1 the new netlogin OnePolicy Framework is coming with enhance features. Which are only working an G2 Switches.

Regards
Userlevel 7
Hi,

for silent machines, there're several ways to manage it.

- mac address lockdown with timeout is maybe what you will want to use.

configure mac-lockdown-timeout ports [all | port_list] aging-time seconds
enable mac-lockdown-timeout ports [all | port_list]

range is between 15 and 2,000,000 seconds. Would that be enough 🙂

- you can configure port restart, so that once the mac is flush from the port, that port will do a quick disable/enable that will force the device to speak and re-authenticate.

- do a script
Userlevel 2
Hallo Matthias,

(testet with vm-22.1.1.5)

if you enable logging you can see:

03/18/2017 19:09:39.30 Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4294967295, Idle Timeout - 4294967295.[/code]
With Session-Timeout/Idle-Timeout set:

03/18/2017 19:12:09.30 Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4222222222, Idle Timeout - 4111111111.[/code]
So the switch accepts large values.

But I'm not sure if Idle-Timeout is used. I testet the following values:
Session Timeout - 20, Idle Timeout - 10, fdb - 300

I stopped the client. After 20 seconds the switch reauthenticated the client via radius.
This happend every 20 seconds till the fdb expired after 300 seconds.

If the fdb expires before the Session-Timeout, the client session is removed.
Userlevel 2
mac-lockdown-timeout seems to work as documented:

mac-lockdown-timeout - 100, fdb - 50, Session-Timeout - 20, Idle-Timeout - 10

After 77 seconds:
#show mac-lockdown-timeout fdb ports 1
Mac Vlan Age Flags Port
----------------------------------------------------
b2:ef:fb:7c:be:26 Default(0001) 0075 F 1
# show fdb ports 1
Mac Vlan Age Flags Port / Virtual Port List
--------------------------------------------------------------------------------
b2:ef:fb:7c:be:26 Default(0001) 0077 nd m L 1[/code]And after 100 seconds:
Delete client request, 1, B2:EF:FB:7C:BE:26[/code]Reauth every 20 seconds
Userlevel 7
Hi,

then there is the idea to monitor printer availability by sending a ping every 5 minutes (or a bit more often). This can show you if your printers are up and it will refresh the FDB entry.

Another possibility is to synchronize ARP and FDB timeouts (a good idea in general if you have layer 3 ECMP in the network) and use EXOS' ARP refresh mechanism to keep the ARP and thus the FDB entry current.

Yet another possibility is to use
configure netlogin ports [port_list | all] allow egress-traffic [none | unicast| broadcast | all_cast][/code]to allow broadcasts and thus ARP requests to reach the printer. That way the printer will re-authenticate whenever someone tries to use it.

Thanks,
Erik

Reply