https://community.cisco.com/t5/network-access-control/ise-reauthentication/m-p/3458112#M519112 <HTML><HEAD></HEAD><BODY><P>Recommended reauth / session timeout value is 2 hours.&nbsp; To Jason's point, you typically do not need to reauth very often.&nbsp; Idle timeouts are typically used to detect cases where user no longer present, especially if clients not directly connecting to switchport.&nbsp; If directly connected, then typically no reason to reauth until disconnect and reconnect, and this happens automatically.&nbsp; You may want to compromise and set reauth to 1/day with RADIUS Accounting updates being sent every 2-3 days to keep session status updated in ISE.</P><P></P><P>Craig</P></BODY></HTML> Thu, 14 Dec 2017 16:58:13 GMT Craig Hyps 2017-12-14T16:58:13Z https://community.cisco.com/t5/network-access-control/ise-reauthentication/m-p/3458110#M519107 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P>Is there a way to randomise the time for the reauthentication for ISE clients? When we select "Reauthentication" in the authorization profile it asks me an exact time in seconds to do the reauthentication. If possible, I would like to enter a range of time with min and max values, and ISE can select a random time from that range for each client.</P><P>My aim is to distribute the load on ISE to a wide range of time. Currently, in the morning all of the clients are logging in approximately in half an hour then after the reauthentication time same thing goes on again in half an hour. It would be great to widen this time to an hour or a couple of hours.</P><P></P><P>Regards,</P></BODY></HTML> Thu, 14 Dec 2017 15:29:30 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication/m-p/3458110#M519107 Ufuk Gudulluoglu 2017-12-14T15:29:30Z https://community.cisco.com/t5/network-access-control/ise-reauthentication/m-p/3458111#M519110 <HTML><HEAD></HEAD><BODY><P style="color: #000000; font-family: -webkit-standard;">There is no feature and don't really see the need.&nbsp; </P><P style="color: #000000; font-family: -webkit-standard;"></P><P style="color: #000000; font-family: -webkit-standard;">From our SME <A href="https://community.cisco.com//u1/38995">hslai</A> Human nature is a great random factor. <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P style="color: #000000; font-family: -webkit-standard;"></P><P style="color: #000000; font-family: -webkit-standard;">In case it’s robotic logins, setting this re-auth timers randomly in ISE authorization profiles can only help reauth.</P><P style="color: #000000; font-family: -webkit-standard;"></P><P style="color: #000000; font-family: -webkit-standard;">Anyhow, reauth every 1/2 hour is too often. I believe our recommendation is every 3 or 4 days.</P></BODY></HTML> Thu, 14 Dec 2017 16:08:58 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication/m-p/3458111#M519110 Jason Kunst 2017-12-14T16:08:58Z https://community.cisco.com/t5/network-access-control/ise-reauthentication/m-p/3458112#M519112 <HTML><HEAD></HEAD><BODY><P>Recommended reauth / session timeout value is 2 hours.&nbsp; To Jason's point, you typically do not need to reauth very often.&nbsp; Idle timeouts are typically used to detect cases where user no longer present, especially if clients not directly connecting to switchport.&nbsp; If directly connected, then typically no reason to reauth until disconnect and reconnect, and this happens automatically.&nbsp; You may want to compromise and set reauth to 1/day with RADIUS Accounting updates being sent every 2-3 days to keep session status updated in ISE.</P><P></P><P>Craig</P></BODY></HTML> Thu, 14 Dec 2017 16:58:13 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication/m-p/3458112#M519112 Craig Hyps 2017-12-14T16:58:13Z