topic RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout in ExtremeWireless (General)

EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

M_Nees — Sat, 18 Mar 2017 15:28:00 GMT

Hi,

i want trigger reauth of printers via RADIUS Session Timeout Attribute. Because i have X440-G1 switches i do not use the policy framework. EXOS 16.1.4.2-Patch-1-3. I use the standard RADIUS Attribute Session-Timeout, with value of 604800.

604800 secs is 1 time a week - this is enough for this demand - and i want to avoid unnecessary communication breaks based on reauth.

If i use a short period let's say 5 minutes (for testing purpose) it works - but this long term period seem not to work.

Unfortunately there is no information which is the largest possible value. Does anybody know this for X440-G1.

Same question is regarding Value of RADIUS Attribute Idle-Timeout !

Best Regards

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

AnonymousM — Sat, 18 Mar 2017 16:34:00 GMT

According to the command ref guide the netlogin reauth period can be 0 or between 30 and 7200 seconds where 0 means disabled. So I guess it is also 7200 seconds for session timeout.

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

M_Nees — Sat, 18 Mar 2017 16:34:00 GMT

Hi Olaf,

that's not really long ...

For my demand it is not usable then. I wish i had G2 switches there - OnePolicy Framework (netlogin) all using higher values (- i believe).

So because we cannot change this - i have to look for another solution.

Maybe Product Manager will equalize that within G1 and G2 possibilities (because i believe that is only a software limitation).

Do you know anything about the allowed idle-timeout ?

Regards,
Matthias

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

AnonymousM — Sat, 18 Mar 2017 16:34:00 GMT

If you mean after which period of time a client is removed when sending no pakets, this is bound to the FDB aging timer. Or what exactly do you mean by idle-timeout?

Cheers
Olaf

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

M_Nees — Sat, 18 Mar 2017 16:34:00 GMT

i mean first.
For an example Printers or phones are sending no packets for longer than the standard fdb/netlogin timer of 5 minutes is. So i want extend this to lets so 2hours.

This is very smart if i do that with RADIUS Attribute Idle-Timeout.

So what is the maximum value of this regarding G1 Switches ?

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

M_Nees — Sat, 18 Mar 2017 16:34:00 GMT

OK Olaf - i though twice a time about me question - you tell me already in EXOS G1 Idle timeout of a netlogin session is bind to the FDB aging time. If i increase fdb aging time is also ingress netlogin idle-timeout.

Looking at manual i see a wide range of 15 to 1,000,000 seconds. Thats OK!

I was happy if session timeout maybe also get this wide range in future EXOS ...

Thanks for clarify that!

Regards

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

AnonymousM — Sat, 18 Mar 2017 16:34:00 GMT

No idea. Sorry! I am not even sure if this works at all. The only method I have been using in those kind of scenarios was adjusting the FDB aging timer. Maybe someone else has tested this before.

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

AnonymousM — Sat, 18 Mar 2017 16:34:00 GMT

You could try session refresh timer which is upt to 3600 seconds. But that would also require adjusting FDB aging timer.

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

M_Nees — Sat, 18 Mar 2017 17:28:00 GMT

One general hint to all who are playing around with this:

If you wants to check which is possible on EXOS G1 switches (regarding netlogin) you have to look at manuals pre EXOS 16.1.

Starting with EXOS 16.1 the new netlogin OnePolicy Framework is coming with enhance features. Which are only working an G2 Switches.

Regards

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

Stephane_Grosj1 — Sat, 18 Mar 2017 18:33:00 GMT

Hi,

for silent machines, there're several ways to manage it.

- mac address lockdown with timeout is maybe what you will want to use.

configure mac-lockdown-timeout ports [all | port_list] aging-time seconds
enable mac-lockdown-timeout ports [all | port_list]

range is between 15 and 2,000,000 seconds. Would that be enough 🙂

- you can configure port restart, so that once the mac is flush from the port, that port will do a quick disable/enable that will force the device to speak and re-authenticate.

- do a script

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

Patrick_Koppen — Sun, 19 Mar 2017 01:42:00 GMT

Hallo Matthias,

(testet with vm-22.1.1.5)

if you enable logging you can see:

03/18/2017 19:09:39.30 Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4294967295, Idle Timeout - 4294967295.
With Session-Timeout/Idle-Timeout set:

03/18/2017 19:12:09.30 Authorization values for B2-EF-FB-7C-BE-26(userName 'B2EFFB7CBE26') on port 1: Access level - unknown, Tunnel Type - none, Tunnel Medium - none, Tunnel Group Id - 0, Session Timeout - 4222222222, Idle Timeout - 4111111111.
So the switch accepts large values.

But I'm not sure if Idle-Timeout is used. I testet the following values:
Session Timeout - 20, Idle Timeout - 10, fdb - 300

I stopped the client. After 20 seconds the switch reauthenticated the client via radius.
This happend every 20 seconds till the fdb expired after 300 seconds.

If the fdb expires before the Session-Timeout, the client session is removed.

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

Patrick_Koppen — Sun, 19 Mar 2017 03:55:00 GMT

mac-lockdown-timeout seems to work as documented:

mac-lockdown-timeout - 100, fdb - 50, Session-Timeout - 20, Idle-Timeout - 10

After 77 seconds:
#show mac-lockdown-timeout fdb ports 1
Mac Vlan Age Flags Port
----------------------------------------------------
b2:ef:fb:7c:be:26 Default(0001) 0075 F 1
# show fdb ports 1
Mac Vlan Age Flags Port / Virtual Port List
--------------------------------------------------------------------------------
b2:ef:fb:7c:be:26 Default(0001) 0077 nd m L 1And after 100 seconds:
Delete client request, 1, B2:EF:FB:7C:BE:26Reauth every 20 seconds

RE: EXOS: X440-G1 maximum value of RADIUS Attributes: session timeout, idle-timeout

Erik_Auerswald — Mon, 20 Mar 2017 14:02:00 GMT

Hi,

then there is the idea to monitor printer availability by sending a ping every 5 minutes (or a bit more often). This can show you if your printers are up and it will refresh the FDB entry.

Another possibility is to synchronize ARP and FDB timeouts (a good idea in general if you have layer 3 ECMP in the network) and use EXOS' ARP refresh mechanism to keep the ARP and thus the FDB entry current.

Yet another possibility is to use
configure netlogin ports [port_list | all] allow egress-traffic [none | unicast| broadcast | all_cast]to allow broadcasts and thus ARP requests to reach the printer. That way the printer will re-authenticate whenever someone tries to use it.

Thanks,
Erik