EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
Hi,

i want trigger reauth of printers via RADIUS Session Timeout Attribute. Because i have X440-G1 switches i do not use the policy framework. EXOS 16.1.4.2-Patch-1-3. I use the standard RADIUS Attribute Session-Timeout, with value of 604800.

604800 secs  is 1 time a week - this is enough for this demand - and i want to avoid unnecessary communication breaks based on reauth.

If i use a short period let's say 5 minutes (for testing purpose) it works - but this long term period seem not to work.

Unfortunately there is no information which is the largest possible value. Does anybody know this for X440-G1.

Same question is regarding Value of RADIUS Attribute Idle-Timeout !


Best Regards
Photo of M.Nees

M.Nees, Embassador

  • 9,640 Points 5k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
If you mean after which period of time a client is removed when sending no pakets, this is bound to the FDB aging timer. Or what exactly do you mean by idle-timeout?

Cheers
Olaf
Photo of M.Nees

M.Nees, Embassador

  • 9,538 Points 5k badge 2x thumb
i mean first.
For an example Printers or phones are sending no packets for longer than the standard fdb/netlogin timer of 5 minutes is. So i want extend this to lets so 2hours.

This is very smart if i do that with RADIUS Attribute Idle-Timeout.

So what is the maximum value of this regarding G1 Switches ?
Photo of M.Nees

M.Nees, Embassador

  • 9,538 Points 5k badge 2x thumb
OK Olaf - i though twice a time about me question - you tell me already in EXOS G1 Idle timeout of a netlogin session is bind to the FDB aging time. If i increase fdb aging time is also ingress netlogin idle-timeout.

Looking at manual i see a wide range of 15 to 1,000,000 seconds. Thats OK!

I was happy if session timeout maybe also get this wide range in future EXOS ...

Thanks for clarify that!

Regards
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
No idea. Sorry! I am not even sure if this works at all. The only method I have been using in those kind of scenarios was adjusting the FDB aging timer. Maybe someone else has tested this before.
Photo of Hagemann, Olaf

Hagemann, Olaf, Employee

  • 1,306 Points 1k badge 2x thumb
You could try session refresh timer which is upt to 3600 seconds. But that would also require adjusting FDB aging timer.
Photo of M.Nees

M.Nees, Embassador

  • 9,640 Points 5k badge 2x thumb
One general hint to all who are playing around with this:

If you wants to check which is possible on EXOS G1 switches (regarding netlogin) you have to look at manuals pre EXOS 16.1.

Starting with EXOS 16.1 the new netlogin OnePolicy Framework is coming with enhance features. Which are only working an G2 Switches.

Regards
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,672 Points 10k badge 2x thumb
Hi,

for silent machines, there're several ways to manage it.

- mac address lockdown with timeout is maybe what you will want to use.

configure mac-lockdown-timeout ports [all | port_list] aging-time seconds
enable mac-lockdown-timeout ports [all | port_list]

range is between 15 and 2,000,000 seconds. Would that be enough :)

- you can configure port restart, so that once the mac is flush from the port, that port will do a quick disable/enable that will force the device to speak and re-authenticate.

- do a script
Photo of Patrick Koppen

Patrick Koppen

  • 770 Points 500 badge 2x thumb
Hallo Matthias,

(testet with vm-22.1.1.5)

if you enable logging you can see:

03/18/2017 19:09:39.30 <Summ:AAA.RADIUS.SrvrRtrnAccessVal> Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4294967295, Idle Timeout - 4294967295.

With Session-Timeout/Idle-Timeout set:

03/18/2017 19:12:09.30 <Summ:AAA.RADIUS.SrvrRtrnAccessVal> Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4222222222, Idle Timeout - 4111111111.

So the switch accepts large values.

But I'm not sure if Idle-Timeout is used. I testet the following values:
Session Timeout - 20, Idle Timeout - 10, fdb - 300

I stopped the client. After 20 seconds the switch reauthenticated the client via radius.
This happend every 20 seconds till the fdb expired after 300 seconds.

If the fdb expires before the Session-Timeout, the client session is removed.
Photo of Patrick Koppen

Patrick Koppen

  • 770 Points 500 badge 2x thumb
mac-lockdown-timeout seems to work as documented:

mac-lockdown-timeout - 100, fdb - 50, Session-Timeout - 20, Idle-Timeout - 10

After 77 seconds:
#show mac-lockdown-timeout fdb ports 1
Mac                     Vlan       Age  Flags  Port
----------------------------------------------------
b2:ef:fb:7c:be:26    Default(0001) 0075 F      1
# show fdb ports 1
Mac                     Vlan       Age  Flags           Port / Virtual Port List
--------------------------------------------------------------------------------
b2:ef:fb:7c:be:26    Default(0001) 0077 nd m    L      1
And after 100 seconds:
<Summ:nl.mac.DeleteClient> Delete client request, 1, B2:EF:FB:7C:BE:26
Reauth every 20 seconds
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,772 Points 10k badge 2x thumb
Hi,

then there is the idea to monitor printer availability by sending a ping every 5 minutes (or a bit more often). This can show you if your printers are up and it will refresh the FDB entry.

Another possibility is to synchronize ARP and FDB timeouts (a good idea in general if you have layer 3 ECMP in the network) and use EXOS' ARP refresh mechanism to keep the ARP and thus the FDB entry current.

Yet another possibility is to use
configure netlogin ports [port_list | all] allow egress-traffic [none | unicast| broadcast | all_cast]
to allow broadcasts and thus ARP requests to reach the printer. That way the printer will re-authenticate whenever someone tries to use it.

Thanks,
Erik