Hi William,

Can you increase the session resumption time to 14 hours from 12 hours on the client machine OAC where the disruption was occuring on one client in a 12h-interval   under "tools -> security section.Share us the outcome of this test

Regards,

Kannan

ok:

in my testing environment:

a)

max session length: 6 min

Host checker: 2 min

oac-agent: reauthentication - no

switch periodic reauthentication - no

effect: after max session length, logout, no authentication on the switch, authorization failed, complete new session build up inclusive dhcp -> session disruption 20 sec.

b)

changing

Either switch periodic reauthentication  (testing: 45 sec)

or turning on "enable automatic reauthentication" on oac (180 sec; possible via reg-key, not via gui)

-> results in logout/login with UAC, but authentication/authorization on the switch stays up; also on UAC: complete

login process with host checker policy, BUT no session disruption, no dhcp

still not reproducible the session resumption (it belongs to tls in the reg-key-area) with a max length of 12h where a session resumption takes place. So far I have learnt and understood from JTAC that this is especially usefull fo roaming wireless clients which is not our setting.

=> So for overcoming our disruption cases I think I will go to the configuration

- 3h periodic reauthentication on the switch

- 1h reauthentication on the oac agent

- another securty measure which acts as the guard in the back is the host checker. If it fails it should bring down the session as wanted

- on the roleside of the uac : max session length about 10h

I really would appreciate the experiences and the knowledge from you if you have a similar productive environment.

regards,

W.

ok - here some of my results so far from our testing environment:

a)

max session length: 6 min

Host checker: 2 min

oac-agent: reauthentication - no

switch periodic reauthentication - no

effect: after max session length, logout, no authentication on the switch, authorization failed, complete new session build up inclusive dhcp -> session disruption 20 sec.

b)

changing

Either switch periodic reauthentication  (testing: 45 sec)

or turning on "enable automatic reauthentication" on oac (180 sec; possible via reg-key, not via gui)

-> results in logout/login with UAC, but authentication/authorization on the switch stays up; also on UAC: complete

login process with host checker policy, BUT no session disruption, no dhcp

still not reproducible the session resumption (it belongs to tls in the reg-key-area) with a max length of 12h where a session resumption takes place. So far I have learnt and understood from JTAC that this is especially usefull fo roaming wireless clients which is not our setting.

=> So for overcoming our disruption cases I think I will go to the configuration

- 3h periodic reauthentication on the switch

- 1h reauthentication on the oac agent

- another securty measure which acts as the guard in the back is the host checker. If it fails it should bring down the session as wanted

- on the roleside of the uac : max session length about 10h

I really would appreciate the experiences and the knowledge from you if you have a similar productive environment.

regards,

W.

Hi,

Yes, the configuration that you are planning to test should help you avoid the session disruption issue. Please test the same

Regards,

Kannan

to add our latest findings:

when the staleperiod for the session resumption (configured on the client: machine authentication, tools -> options -> security) is set to a smaller value than the max. session length, but to a greater value than the reauthentication  timer,

then the reauthentication works with no disruption, but after the staletimeperiod we see the disruption of  the client session, an authentication failed message on the switch. It takes about 15-20 seconds to be back online.

So we are still not sure if we can avoid the session disruptions when we have the staletimeperiod longer than the max. session length. The default staletimeperiod set on the client is 12 h. So we set the max. session length now to 10 h.

By the way. Do you have clarifications on the heartbeat timer and the timeout value (can be set at the session options at the role level)

regards,

William

just to close this thread from my side:

we have now chosen a max session length of 10h (-> configured on uac -> role, session option)

the client is doing a reauthentication every 1h (-> configure on client)

host checker is running every 20min, with idle session closing after 1 h

the switch is doing a reauthentication every 3 h

the staleperiod on the client  is set to default 12h

now we see

every 20 min: a host checker check in the uac log 

every 1h: a regular reauthentication in the switch log, which is initiated by the client

every 10 h: a login - logout process on the uac; it lasts about 4 sec. What is important, it goes along with no disruption of the authorized link  on the switch, therefore no dhcp-issues and so forth

sometimes (when the client is really idle)

after 1h closing of the host checker session, new authentication on the switch, dhcp, new login. total disruption of about 20 sec. But this is ok, because the client is not sending any traffic.

regards, William