https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704817#M507710 Hey Paul,<BR /><BR />thank you very much for the post. I set the reauthentication at the ISE and it workes! Only one more question. Under Radius-Live Sessions I can see that it is "terminated" after I disconnected the PC. <BR />(Connection: Switch &lt;- Phone &lt;- PC) <BR />This was not working without the reauth because the telephone is not telling the ISE that the session to the PC is now disconnected. But in Radius-Live Logs I still see the session as "active". When is ISE killing the session in Live Logs? <BR /><BR />Thanks<BR />Philipp<BR /> Tue, 11 Sep 2018 13:28:22 GMT pgerstenberger 2018-09-11T13:28:22Z https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704608#M507707 <P>Hello Community,</P> <P>&nbsp;</P> <P>we want to reauthenticate our Endpoints. Which way is recommended? Set reauthentication at the Cisco ISE Authorization Profile or at the switch port? And which timers are best practice? We use ISE version 2.1.</P> <P>&nbsp;</P> <P>Thanks and best regards,</P> <P>Philipp</P> Tue, 11 Sep 2018 07:53:31 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704608#M507707 pgerstenberger 2018-09-11T07:53:31Z https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704715#M507708 <P>Hey Philipp</P> <P>&nbsp;</P> <P>I assume you're talking about wired NAS?</P> <P>&nbsp;</P> <P>I found this document really handy to answer your question</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.pdf</A> </P> <P>&nbsp;</P> <P>Check out pages 19 and 20.&nbsp; The Termination-Action attributes are quite interesting too.&nbsp; I think I might have to start using those myself <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 11 Sep 2018 11:02:01 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704715#M507708 Arne Bier 2018-09-11T11:02:01Z https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704781#M507709 <P>Use ISE to control the reauthentication timer by setting the following on the switchports:</P> <P>&nbsp;</P> <P>authentication periodic<BR /> authentication timer reauthenticate server</P> <P>&nbsp;</P> <P>Then set the reauthentication timer in ISE.&nbsp; I set a reauthentication timer of 65,000 seconds on all my wired results.&nbsp; Reauthentications ensures two things:</P> <P>&nbsp;</P> <OL> <LI>I have an accurate picture what is on my network every day.</LI> <LI>If I change a policy, i.e. push a new DACL or SGT tag, I know the devices associated with that policy will get the change within a day.</LI> </OL> Tue, 11 Sep 2018 12:48:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704781#M507709 paul 2018-09-11T12:48:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704817#M507710 Hey Paul,<BR /><BR />thank you very much for the post. I set the reauthentication at the ISE and it workes! Only one more question. Under Radius-Live Sessions I can see that it is "terminated" after I disconnected the PC. <BR />(Connection: Switch &lt;- Phone &lt;- PC) <BR />This was not working without the reauth because the telephone is not telling the ISE that the session to the PC is now disconnected. But in Radius-Live Logs I still see the session as "active". When is ISE killing the session in Live Logs? <BR /><BR />Thanks<BR />Philipp<BR /> Tue, 11 Sep 2018 13:28:22 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704817#M507710 pgerstenberger 2018-09-11T13:28:22Z https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704820#M507711 What type of phones do you have and are the PC's behind the phones doing 802.1x? If the PCs are doing 802.1x and the phones are doing EAP Proxy Logoff correctly the switch should be terminating the PC's session and communicating that to ISE. If the phone doesn't support EAP proxy Logoff you can also set an inactivity timer as well in ISE if there is a concern about that session hanging out there. I usually don't use the inactivity timer.<BR /><BR /><BR /><BR /><BR /><BR /><BR /> Tue, 11 Sep 2018 13:31:34 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3704820#M507711 paul 2018-09-11T13:31:34Z https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3705308#M507712 <P>Hi Paul,<BR />thanks for the detailed information. But I think that our phones do not support EAP Proxy Logoff.... <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span> Yes, the PCs behind the phones doing 802.1x. So we have to look for the inactivity timer. <BR />Again thank you very much for the support!</P> <P>&nbsp;</P> <P>For those who are interested in setup 802.1x behind VOIP Phone refer to this cisco guide:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html&nbsp;" target="_blank">https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html&nbsp;</A><BR /><BR />Cheers,<BR />Philipp</P> Wed, 12 Sep 2018 06:04:02 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-reauthentication-best-practices/m-p/3705308#M507712 pgerstenberger 2018-09-12T06:04:02Z