I am using 802.1x with EX3200 switches. I authenticate user through IC on layer 2 8021x. Once user nuplug his network cable or disable the TCP/IP connection user session remain exist on IC. How can I remove the session on IC automatically once user is disconnected on network.
I understand that Once 802.1xuser unplug his network cable or disable the TCP/IP connection user session remain exist on IC and you
wanted to know how to remove the session on IC automatically once user is disconnected on network.
In IC admin UI To forcibly sign out one or more end-users or administrators, select the check box next to the appropriate names and then click Delete Session.
This is manual deleting.
For automatically removing the session on IC qucikly , you need Perform a dynamic policy evaluation configuration on the
Dynamic policy evaluation allows you to automatically or manually refresh the assigned roles of users by evaluating a realmÍs authentication policy, role-mappings, role
restrictions, and resource policies. When the IC Series device performs a dynamic evaluation, it verifies whether the clientÍs status is changed.
You can refer the UAC admin guide for more information. Hope this resolves your query.
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!
With dynamic policy evaluation I can set the time minimum 5 mints but I want to close the session immediately user disconnect from the network,
Here I explain the problem I am facing. I implement 802.1x IC solution with EX3200 as an enforcer. I configure two vlans one is employee and second is guest on EX3200. Also I configure the guest vlan as guest-vlan in ex3200 dot1x configuration.
I configure IC with two roles one in Full-Access role and second is Quarantine role. I create a relam and in role-mapping I create a single rule and map both roles with used identities. Full-Access role have host-checker policy to check the user end point before assign him full role if host checker policy on end point fails user assign Quarantine role and if host checker policy pass user assign both Full-Access and Quarantine role.
In Radius Return Attribute policy I configure first policy with Full-Access role return the vlan employee and second policy with Quarantine role return the vlan guest.
As user connect to IC with full fill the host checker policy IC assign the user correct vlan that is employee and user get the full access. During the session user lost the compliance and when host checker policy re-evaluate it disconnect the user re-authenticate and assign the user guest vlan with Quarantine role having restrict access to corporate resources.
Now the problem is when user has guest vlan and at that time user disconnect from network (cable unplug or TCP/IP connection disable) and during the off line time somehow user meet the end point compliance then connect to network again IC not re-authenticate the user nor recheck the compliance instead IC create new session with same vlan and end point IP that IC assign the user previously that was the guest vlan. Although user meet the compliance but user get the limited access with guest vlan.
To solve the problem I remove the connection manually on IC and ask user to re-connect to network or I instruct user to remove the session from pulse and the re-connect to network.
Why IC not assign user right vlan i.e. Employee after user connect to network again with full compliance. IC create new session assign both roles but not return the Employee vlan but user get the guest vlan instead of employee vlan.
Any suggestion or help regarding this issue
I understand that dynamic policy reevaluation is not suitable for your requirement, you can configured host checker to perform check every 1 minute in the endpoint security configuration , this will ensure hostchecker policy is evaluated every 1minute on the endpoint. Also you can try enabling reauthentication for the 802.1x ports on the EX switch.
The above suggestions should resolve the issue.
In a dot1x environment, the IC must receive accounting start and stop from the access point or switch to accurately track the user session.
If there are no accounting messages, the session will remain active on the IC until the role session length is hit.
Configuring accouting in switch/Access point should resolve your problem.
This has been documented in KB article, refer below:
Note: If this answers your questions, you could mark this post as accepted solution, that way it will help others as well. Kudos is bonus thanks!
Thanks Kalagesan/Raveen for your support.
Can you guide me how to configure reauthentication on EX switch and how I can configure the radius accounting msgs... how i can configure radius accounting messages both on authenticator and IC?
One more question regarding 802.1x...
I understand that suplicant and authenticator must be on layer-2 so they can exchange EAPOL msgs. Is it necessary for IC to communicate with authenticator on layer-2 for Radius communications? I think it is, bcoz pulse client need to access the IC on layer 2 for automatically adding the connection according the vlan client can access. so can we deploy IC so that authenticator communicate with IC on layer-3 and if we can then how can pulse client connect with IC?
You can Use the below tech doc URLs to access the info on configuring the reauthentication on EX3200:
Radius accouting in EX:
How to setup reauthentication and integrate EX with UAC:
set protocols dot1x authenticator interface <interface-name> Reauthentication)
Thanks kalagesan and raveen for all the help and support. I will check these solutions....
My question regarding 802.1x and layer-3......????
EAP transactions happens between supplicant and authenticator(switch), it is always L2.
Radius transactions happens between Authenticator and AA server(IC/UAC) which is always UDP( L3 and above).