cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

M_Nees
Contributor III
Hi,

i want trigger reauth of printers via RADIUS Session Timeout Attribute. Because i have X440-G1 switches i do not use the policy framework. EXOS 16.1.4.2-Patch-1-3. I use the standard RADIUS Attribute Session-Timeout, with value of 604800.

604800 secs is 1 time a week - this is enough for this demand - and i want to avoid unnecessary communication breaks based on reauth.

If i use a short period let's say 5 minutes (for testing purpose) it works - but this long term period seem not to work.

Unfortunately there is no information which is the largest possible value. Does anybody know this for X440-G1.

Same question is regarding Value of RADIUS Attribute Idle-Timeout !

Best Regards
12 REPLIES 12

Erik_Auerswald
Contributor II
Hi,

then there is the idea to monitor printer availability by sending a ping every 5 minutes (or a bit more often). This can show you if your printers are up and it will refresh the FDB entry.

Another possibility is to synchronize ARP and FDB timeouts (a good idea in general if you have layer 3 ECMP in the network) and use EXOS' ARP refresh mechanism to keep the ARP and thus the FDB entry current.

Yet another possibility is to use
configure netlogin ports [port_list | all] allow egress-traffic [none | unicast| broadcast | all_cast]to allow broadcasts and thus ARP requests to reach the printer. That way the printer will re-authenticate whenever someone tries to use it.

Thanks,
Erik

Patrick_Koppen
Contributor
mac-lockdown-timeout seems to work as documented:

mac-lockdown-timeout - 100, fdb - 50, Session-Timeout - 20, Idle-Timeout - 10

After 77 seconds:
#show mac-lockdown-timeout fdb ports 1
Mac Vlan Age Flags Port
----------------------------------------------------
b2:ef:fb:7c:be:26 Default(0001) 0075 F 1
# show fdb ports 1
Mac Vlan Age Flags Port / Virtual Port List
--------------------------------------------------------------------------------
b2:ef:fb:7c:be:26 Default(0001) 0077 nd m L 1And after 100 seconds:
Delete client request, 1, B2:EF:FB:7C:BE:26Reauth every 20 seconds

Patrick_Koppen
Contributor
Hallo Matthias,

(testet with vm-22.1.1.5)

if you enable logging you can see:

03/18/2017 19:09:39.30 Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4294967295, Idle Timeout - 4294967295.
With Session-Timeout/Idle-Timeout set:

03/18/2017 19:12:09.30 Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4222222222, Idle Timeout - 4111111111.
So the switch accepts large values.

But I'm not sure if Idle-Timeout is used. I testet the following values:
Session Timeout - 20, Idle Timeout - 10, fdb - 300

I stopped the client. After 20 seconds the switch reauthenticated the client via radius.
This happend every 20 seconds till the fdb expired after 300 seconds.

If the fdb expires before the Session-Timeout, the client session is removed.

Stephane_Grosj1
Extreme Employee
Hi,

for silent machines, there're several ways to manage it.

- mac address lockdown with timeout is maybe what you will want to use.

configure mac-lockdown-timeout ports [all | port_list] aging-time seconds
enable mac-lockdown-timeout ports [all | port_list]

range is between 15 and 2,000,000 seconds. Would that be enough 🙂

- you can configure port restart, so that once the mac is flush from the port, that port will do a quick disable/enable that will force the device to speak and re-authenticate.

- do a script
GTM-P2G8KFN