https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529022#M572112 <P>I have successfully configured wired MAB with redirect to an ISE Self-Registered Guest Portal. Along with the redirect ACL, I also send a 15 second reauthentication time out. This way the user transitions to full network access quickly after registering a device.</P><P>However, I question if such a low timeout value will be problematic with potentially hundreds of devices at a time that get stuck in redirect state. Is there a best practice for reauthenticating MAB clients quickly and minimize re-auth traffic?</P> Mon, 10 Jan 2022 18:37:53 GMT neteng1 2022-01-10T18:37:53Z https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529022#M572112 <P>I have successfully configured wired MAB with redirect to an ISE Self-Registered Guest Portal. Along with the redirect ACL, I also send a 15 second reauthentication time out. This way the user transitions to full network access quickly after registering a device.</P><P>However, I question if such a low timeout value will be problematic with potentially hundreds of devices at a time that get stuck in redirect state. Is there a best practice for reauthenticating MAB clients quickly and minimize re-auth traffic?</P> Mon, 10 Jan 2022 18:37:53 GMT https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529022#M572112 neteng1 2022-01-10T18:37:53Z https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529048#M572113 <PRE>I question if such a low timeout value will be problematic with potentially hundreds of devices at a time that get stuck in redirect state.</PRE> <P>This where we design the system based on the device, so ISE can handle all this stuff. ignore best pracitice and security practice may have different side effect on security and access point of view - this is my personal suggestion.</P> <P>&nbsp;</P> <P>There is best practice posted by cisco :</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html</A></P> <P>&nbsp;</P> <P>There is good presentation help you :</P> <P>&nbsp;</P> <P><A href="https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3416.pdf" target="_blank">https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3416.pdf</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 10 Jan 2022 19:21:54 GMT https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529048#M572113 balaji.bandi 2022-01-10T19:21:54Z https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529073#M572114 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/856468">@neteng1</a> if you are doing wired guest, the user will stay in the redirection state until they've registered/authenticated to the guest portal. No need for a 15sec reauthentication timer, once the user has successfully registered/authenticated in the guest portal a Change of Authorisation (CoA) would be initiated and the user would be re-authorised again, the user would be authorised against a different authorisation rule. </P> Mon, 10 Jan 2022 20:01:26 GMT https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529073#M572114 Rob Ingram 2022-01-10T20:01:26Z https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529076#M572115 <P>Thank you. I think I have problem with my CoA. I see the following error in live logs. I'll have to troubleshoot.</P><P>&nbsp;</P><P>Event 5417 Dynamic Authorization failed<BR />Failure Reason 11213 No response received from Network Access Device after sending a Dynamic Authorization request</P> Mon, 10 Jan 2022 20:11:04 GMT https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529076#M572115 neteng1 2022-01-10T20:11:04Z https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529080#M572116 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/856468">@neteng1</a> check your switch config and ensure the following is configured.</P> <P>&nbsp;</P> <PRE><FONT face="lucida sans unicode,lucida sans"><SPAN style="left: 120px; top: 1075.8px; font-size: 18.4008px; font-family: serif; transform: scaleX(1.02108);">aaa server radius dynamic-author<BR /> client &lt;ise psn 1&gt; server-key &lt;shared secret&gt;<BR /> client &lt;ise psn 2&gt; server-key </SPAN></FONT><FONT face="lucida sans unicode,lucida sans"><SPAN style="left: 124.16px; top: 1127.4px; font-size: 18.4008px; font-family: serif; transform: scaleX(0.908348);"><SPAN style="left: 120px; top: 1075.8px; font-size: 18.4008px; font-family: serif; transform: scaleX(1.02108);">&lt;shared secret&gt;</SPAN></SPAN></FONT></PRE> <P>&nbsp;</P> Mon, 10 Jan 2022 20:16:44 GMT https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529080#M572116 Rob Ingram 2022-01-10T20:16:44Z https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529111#M572118 <P>I did have that config entered. I found out my problem was an F5 rule, working as expected now. Thanks for your help.</P> Mon, 10 Jan 2022 21:20:58 GMT https://community.cisco.com/t5/network-access-control/wired-mab-reauthentication-retries/m-p/4529111#M572118 neteng1 2022-01-10T21:20:58Z