https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/For-headless-device-authenticated-on-the-switch-how-to-ensure/m-p/54456#M94 <P>Recently had come across a concern where the given printer was not able to stay authenticated on the mac-auth session it had initiated.&nbsp;<BR />Digging further into what was causing, it found it to be as the same was classified headless device.</P><P>A tiny description of the devices labeled as Headless device(s):<BR />Headless devices such as printers, badge readers, POS Scanner, Industrial sensors, and actuators, IoT devices etc. are known to have simple NICs which are not capable of 802.1x traffic generation.</P><P>Given the current security demand, the need to lock every free access port to the network is ever present to avoid unwanted/uninvited guests accessing internal information.<BR /><BR />These devices however can-do mac-auth: where they are verified by their MAC addresses</P><P><BR /><STRONG>Problem posed:</STRONG><BR />As with any authentication:<BR />the connection [ethernet connection on the switch] once registers as offline due to no activity on the remote end, the session established when the device had authenticated gets logged off.<BR />and as a part of all process in authentication: we do have a mandatory log off period / timer which does kick out the device, prompting them for a re-auth.</P><P>when either of this, happens for a user station on 802.1X its seamless: as the supplicant drivers take care of the re-auth</P><P>however, the device logging off the headless device when no traffic is generated can be an issue.</P><P>for example : a badge reader : at the door :<BR />people would not be expected to tap the ID cards every minute, thus the traffic generated is sparse and not continuous. due to this when the device does not transmit&nbsp; and switch moves the device to offline state, as due to no traffic seen.</P><P>&nbsp;</P><P><STRONG>Workaround that can be tried :</STRONG><BR />when this is seen : forcing a re-auth for the device would work : however when it comes to headless devices.<BR />they dont generate traffic by themselves, and with port-access control thats imposed by the 802.1x and Mac-ath processes : denies/blocks both inbound and outbound traffic on an interface until authentication is sucessfull</P><P>physically reseating the cable : enables the switch to re-learn the connected device on the interface and mac-auth going through will have the same verified. and we will have traffic passing.</P><P>this however, is less Ideal as reseating every time : would mean either accessing the wall mounted reader in the closet where connection goes or at the wall mount itself for the task</P><P>this can leave bits vulnerable. [ thus defeating the purpose ]</P><P>&nbsp;</P><P><STRONG>Solution :</STRONG><BR />there are 2 ways to tackle the issue :<BR />1 &gt; standard and staight forward : exempt that port from authentication.<BR />this however if discovered can be a loop hole in the network.</P><P>2 &gt; use Radius attrubite to extend the session's idle window such that it covers the devices inactive period.<BR />this would mean no loop hole in the network. and no need for physical intervention untill necessary.</P><P>for this when the authentication profile is set on the RADIUS platform : use the RADIUS IETF attribute of Idle-Timeout.&nbsp;this ensures that the session for a given device will only timeout after the specified interval when no traffic is seen from that specific device .</P><P>Attribute details :<BR />Attribute-Name :<BR />Idle-timeout<BR />Attribute-ID :<BR />28<BR />Attribute-Data Type:<BR />Integer<BR />Attribute-Description:<BR />Idle timeout after which the session is cleared when there is no traffic.<BR />This is equivalent to configuring the max-sw age command through the CLI<BR /><BR />the value is set in seconds : hence would need to time the same to a generalized period :<BR />&gt; where we can expect the max amount of gap : for ex. : when the office are shutdown during furlough or during the year end shutdown : where for a week's duration<BR />the traffic would be minimal.<BR />under this example : we would have 7 days in a week, 24 hours in a day, 60 minutes in a hour, and 60 seconds in a minute.<BR />i.e. : 7*24*60*60 = 6,04,800</P><P>this value when set on the Authentication profile on the Authentication server : on the device's successfull auth will get passed as a Radius attribute.<BR />that will have the session for the device extended.</P><P>this however can be set to any time in seconds as per the design's requirement.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 02 Mar 2023 12:09:27 GMT jdryan 2023-03-02T12:09:27Z https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/For-headless-device-authenticated-on-the-switch-how-to-ensure/m-p/54456#M94 <P>Recently had come across a concern where the given printer was not able to stay authenticated on the mac-auth session it had initiated.&nbsp;<BR />Digging further into what was causing, it found it to be as the same was classified headless device.</P><P>A tiny description of the devices labeled as Headless device(s):<BR />Headless devices such as printers, badge readers, POS Scanner, Industrial sensors, and actuators, IoT devices etc. are known to have simple NICs which are not capable of 802.1x traffic generation.</P><P>Given the current security demand, the need to lock every free access port to the network is ever present to avoid unwanted/uninvited guests accessing internal information.<BR /><BR />These devices however can-do mac-auth: where they are verified by their MAC addresses</P><P><BR /><STRONG>Problem posed:</STRONG><BR />As with any authentication:<BR />the connection [ethernet connection on the switch] once registers as offline due to no activity on the remote end, the session established when the device had authenticated gets logged off.<BR />and as a part of all process in authentication: we do have a mandatory log off period / timer which does kick out the device, prompting them for a re-auth.</P><P>when either of this, happens for a user station on 802.1X its seamless: as the supplicant drivers take care of the re-auth</P><P>however, the device logging off the headless device when no traffic is generated can be an issue.</P><P>for example : a badge reader : at the door :<BR />people would not be expected to tap the ID cards every minute, thus the traffic generated is sparse and not continuous. due to this when the device does not transmit&nbsp; and switch moves the device to offline state, as due to no traffic seen.</P><P>&nbsp;</P><P><STRONG>Workaround that can be tried :</STRONG><BR />when this is seen : forcing a re-auth for the device would work : however when it comes to headless devices.<BR />they dont generate traffic by themselves, and with port-access control thats imposed by the 802.1x and Mac-ath processes : denies/blocks both inbound and outbound traffic on an interface until authentication is sucessfull</P><P>physically reseating the cable : enables the switch to re-learn the connected device on the interface and mac-auth going through will have the same verified. and we will have traffic passing.</P><P>this however, is less Ideal as reseating every time : would mean either accessing the wall mounted reader in the closet where connection goes or at the wall mount itself for the task</P><P>this can leave bits vulnerable. [ thus defeating the purpose ]</P><P>&nbsp;</P><P><STRONG>Solution :</STRONG><BR />there are 2 ways to tackle the issue :<BR />1 &gt; standard and staight forward : exempt that port from authentication.<BR />this however if discovered can be a loop hole in the network.</P><P>2 &gt; use Radius attrubite to extend the session's idle window such that it covers the devices inactive period.<BR />this would mean no loop hole in the network. and no need for physical intervention untill necessary.</P><P>for this when the authentication profile is set on the RADIUS platform : use the RADIUS IETF attribute of Idle-Timeout.&nbsp;this ensures that the session for a given device will only timeout after the specified interval when no traffic is seen from that specific device .</P><P>Attribute details :<BR />Attribute-Name :<BR />Idle-timeout<BR />Attribute-ID :<BR />28<BR />Attribute-Data Type:<BR />Integer<BR />Attribute-Description:<BR />Idle timeout after which the session is cleared when there is no traffic.<BR />This is equivalent to configuring the max-sw age command through the CLI<BR /><BR />the value is set in seconds : hence would need to time the same to a generalized period :<BR />&gt; where we can expect the max amount of gap : for ex. : when the office are shutdown during furlough or during the year end shutdown : where for a week's duration<BR />the traffic would be minimal.<BR />under this example : we would have 7 days in a week, 24 hours in a day, 60 minutes in a hour, and 60 seconds in a minute.<BR />i.e. : 7*24*60*60 = 6,04,800</P><P>this value when set on the Authentication profile on the Authentication server : on the device's successfull auth will get passed as a Radius attribute.<BR />that will have the session for the device extended.</P><P>this however can be set to any time in seconds as per the design's requirement.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 02 Mar 2023 12:09:27 GMT https://community.ruckuswireless.com/t5/RUCKUS-Self-Help/For-headless-device-authenticated-on-the-switch-how-to-ensure/m-p/54456#M94 jdryan 2023-03-02T12:09:27Z