Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Authentication Session Timeout

You can control access to your network through a switch by using several different authentication. Junos OS switches support 802.1X, MAC RADIUS, and captive portal as an authentication methods to devices requiring to connect to a network. Read this topic for more information.

Understanding Authentication Session Timeout

Information about authentication sessions—including the associated interfaces and VLANs for each MAC address that is authenticated—is stored in the authentication session table. The authentication session table is tied to the Ethernet switching table (also called the MAC table). Each time the switch detects traffic from a MAC address, it updates the timestamp for that network node in the Ethernet switching table. A timer on the switch periodically checks the timestamp and if its value exceeds the user-configured mac-table-aging-time value, the MAC address is removed from the Ethernet switching table. When a MAC address ages out of the Ethernet switching table, the entry for that MAC address is also removed from the authentication session table, with the result that the session ends.

When the authentication session ends due to MAC address aging, the host must re-attempt authentication. To limit the downtime resulting from re-authentication, you can control the timeout of authentication sessions in the following ways:

  • For 802.1X and MAC RADIUS authentication sessions, disassociate the authentication session table from the Ethernet switching table by using the no-mac-table-binding statement. This setting prevents the termination of the authentication session when the associated MAC address ages out of the Ethernet switching table.

  • For captive portal authentication sessions, configure a keep-alive timer using the user-keepalive statement. With this option configured, when the associated MAC address ages out of the Ethernet switching table, the keep-alive timer is started. If traffic is received within the keep-alive timeout period, the timer is deleted. If there is no traffic within the keep-alive timeout period, the session is deleted.

You can also specify timeout values for authentication sessions to end the session before the MAC aging timer expires. After the session times out, the host must re-attempt authentication.

  • For 802.1X and MAC RADIUS authentication sessions, the duration of the session before timeout depends on the value of the reauthentication statement. If the MAC aging timer expires before the session times out, and the no-mac-table-binding statement is not configured, the session is ended, and the host must re-authenticate.

  • For captive portal authentication sessions, the duration of the session depends on the value configured for the session-expiry statement. If the MAC aging timer expires before the session times out, and the user-keepalive statement is not configured, the session is ended, and the host must re-authenticate.

Note:

If the authentication server sends an authentication session timeout to the client, this takes priority over the value configured locally using either the reauthentication statement or the session-expiry statement. The session timeout value is sent from the server to the client as an attribute of the RADIUS Access-Accept message. For information about configuring the authentication server to send an authentication session timeout, see the documentation for your server.

Controlling Authentication Session Timeouts (CLI Procedure)

The expiration of an authentication session can result in downtime because the host must re-attempt authentication. You can limit this downtime by controlling the timeout period for authentication sessions.

An authentication session can end when the MAC address associated with the authenticated host ages out of the Ethernet switching table. When the MAC address is cleared from the Ethernet switching table, the authenticated session for that host ends, and the host must re-attempt authentication.

To prevent the authentication session from ending when the MAC address ages out of the Ethernet switching table:

  • For sessions authenticated using 802.1X or MAC RADIUS authentication, you can prevent authentication session timeouts due to MAC address aging by disassociating the authentication session table from the Ethernet switching table using the no-mac-table-binding statement:
  • For sessions authenticated using captive portal authentication, you can prevent authentication session timeouts due to MAC address aging by extending the timeout period using the user-keepalive statement:

You can also configure timeout values for authentication sessions to end an authenticated session before the MAC aging timer expires.

Note:

Configuring the session timeout for an authentication session does not extend the session after the MAC aging timer expires. You must configure either the no-mac-table-binding statement for 802.1X and MAC RADIUS authentication, or the user-keepalive statement for captive portal authentication, to prevent session timeout due to MAC aging.

For 802.1X and MAC RADIUS authentication sessions, configure the timeout value using the reauthentication statement.

  • To configure the timeout value on a single interface:

  • To configure the timeout value on all interfaces:

For captive portal authentication sessions, configure the timeout value using the session-expiry statement.

  • To configure the timeout value on a single interface:

  • To configure the timeout value on all interfaces:

Note:

If the authentication server sends an authentication session timeout to the client, this takes priority over the value configured using the reauthentication statement or the session-expiry statement. The session timeout value is sent from the server to the client as an attribute of the RADIUS Access-Accept message.

Retaining the Authentication Session Based on IP-MAC Address Bindings

MAC RADIUS authentication is often used to permit hosts that are not enabled for 802.1X authentication to access the LAN. End devices such as printers are not very active on the network. If the MAC address associated with an end device ages out due to inactivity, the MAC address is cleared from the Ethernet switching table, and the authentication session ends. This means that other devices will not be able to reach the end device when necessary.

If the MAC address that ages out is associated with an IP address in the DHCP, DHCPv6, or SLAAC snooping table, that MAC-IP address binding will be cleared from the table. This can result in dropped traffic when the DHCP client tries to renew its lease.

You can configure the switching device to check for an IP-MAC address binding in the DHCP, DHCPv6, or SLAAC snooping table before terminating the authentication session when the MAC address ages out. If the MAC address for the end device is bound to an IP address, then it will be retained in the Ethernet switching table, and the authentication session will remain active.

This feature can be configured globally for all authenticated sessions using the CLI, or on a per-session basis using RADIUS attributes.

Benefits

This feature provides the following benefits:

  • Ensures that an end device is reachable by other devices on the network even if the MAC address ages out.

  • Prevents traffic from dropping when the end device tries to renew its DHCP lease.

CLI Configuration

Before you can configure this feature:

  • DHCP snooping, DHCPv6 snooping, or SLAAC snooping must be enabled on the device.

  • The no-mac-table-binding CLI statement must be configured. This disassociates the authentication session table from the Ethernet switching table, so that when a MAC address ages out, the authentication session will be extended until the next reauthentication.

To configure this feature globally for all authenticated sessions:

Configure the switching device to check for an IP-MAC address binding in the DHCP, DHCPv6, or SLAAC snooping table before terminating the authentication session when the MAC address ages out using the ip-mac-session-binding CLI statement:
Note:

You cannot commit the ip-mac-session-binding configuration unless the no-mac-table-binding is also configured.

RADIUS Server Attributes

You can configure this feature for a specific authentication session using RADIUS server attributes. RADIUS server attributes are clear-text fields encapsulated in Access-Accept messages sent from the authentication server to the switching device when a supplicant connected to the switch is successfully authenticated.

To retain the authentication session based on IP-MAC address bindings, configure both of the following attribute-value pairs on the RADIUS server:

  • Juniper-AV-Pair = “IP-Mac-Session-Binding”

  • Juniper-AV-Pair = “No-Mac-Binding-Reauth”

The Juniper-AV-Pair attribute is a Juniper Networks vendor-specific attribute (VSA). Verify that the Juniper dictionary is loaded on the RADIUS server and includes the Juniper-AV-Pair VSA (ID# 52).

If you need to add the attribute to the dictionary, locate the dictionary file (juniper.dct) on the RADIUS server and add the following text to the file:

Note:

For specific information about configuring your RADIUS server, consult the AAA documentation included with your server.

Verification

Verify the configuration by issuing the operational mode command show dot1x interface interface-name detail and confirm that the Ip Mac Session Binding and No Mac Session Binding output fields indicate that the feature is enabled.

Clients authenticated with MAC RADIUS should remain authenticated, and MAC address entries in the Ethernet switching table should also be retained after expiration of the MAC timer.