https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803934#M485128 <P>I probably should have mentioned we are doing MAB authentication not dot1x</P> Mon, 18 Feb 2019 09:41:10 GMT Jason Weids 2019-02-18T09:41:10Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3802671#M485118 <P>Hello,</P> <P>&nbsp;</P> <P>Why do devices that are unknown or that have no authorization policy constantly try to reauth every minute? Surely once they have failed &amp; denied access a few times then you don't want them constantly sending radius requests. Is there a way to change the reauth timer so it only reauth when the port transitions to "up connected"?</P> <P>&nbsp;</P> <P>Jason&nbsp;</P> Fri, 15 Feb 2019 11:07:05 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3802671#M485118 Jason Weids 2019-02-15T11:07:05Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3802745#M485124 <P>Unless you are doing a complete whitelisted setup, you really shouldn't be denying access to the network.&nbsp; Every device should have an authorization policy applied.&nbsp; The default policy should be a Limited Access policy with a DACL applied to allow access to the PSNs and DNS.&nbsp; DNS is there to allow redirection to a portal if you want.</P> Fri, 15 Feb 2019 13:35:37 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3802745#M485124 paul 2019-02-15T13:35:37Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3802750#M485125 If you are not using an ISE authorization policy result that pushes reauthentication timer then the fallback will be whatever you have configured on the host port.<BR />dot1x reauthentication<BR />dot1x timeout reauth-period (seconds)<BR />Those commands will enable periodic re-authentication and set the number of seconds between re-authentication attempts.<BR /><BR />HTH! Fri, 15 Feb 2019 13:45:06 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3802750#M485125 Mike.Cifelli 2019-02-15T13:45:06Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803364#M485126 <P>I agree with&nbsp;<A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/192011" target="_blank">paul</A>.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387307" target="_blank">dot1x timeout quiet-period</A>&nbsp;seems what you asked for.</P> Sat, 16 Feb 2019 21:16:49 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803364#M485126 hslai 2019-02-16T21:16:49Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803932#M485127 <P>We are whitelisting. Nothing should be allowed to connect to the wired network in our environment unless it is a "known/trusted" device. The devices we are seeing which are not authorised are filling our live radius logs &amp; it is these I want to limit.</P> Mon, 18 Feb 2019 09:37:49 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803932#M485127 Jason Weids 2019-02-18T09:37:49Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803934#M485128 <P>I probably should have mentioned we are doing MAB authentication not dot1x</P> Mon, 18 Feb 2019 09:41:10 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803934#M485128 Jason Weids 2019-02-18T09:41:10Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803937#M485129 <P>Can you do this with MAB authentication?</P> Mon, 18 Feb 2019 09:42:52 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3803937#M485129 Jason Weids 2019-02-18T09:42:52Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3804074#M485130 Even in a whitelisted setup I would still not deny as the last rule in the wired MAB policy set. Allow the connection and put a DACL on to limit access to the ISE PSNs and maybe other security products to allow a device not whitelisted to be profiled/scanned to gather information about it.<BR /><BR /><BR /> Mon, 18 Feb 2019 13:36:18 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3804074#M485130 paul 2019-02-18T13:36:18Z https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3812406#M485131 <P>That really helpfull, That might be what you would do but in our environment we only allow authorised devices on the wired network.</P> Fri, 01 Mar 2019 10:24:42 GMT https://community.cisco.com/t5/network-access-control/reauthentication-timer/m-p/3812406#M485131 Jason Weids 2019-03-01T10:24:42Z