https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3752008#M96979 <P>Additional information. I am authenticating these devices (printers) via MAB. Will the RADIUS reauthentication timer function while using MAB?</P> Fri, 23 Nov 2018 19:31:43 GMT RSundstrom 2018-11-23T19:31:43Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/2315594#M96971 <P>Hi,</P><P></P><P>I am doing authentication of endpoint devices. The default reauthentication timer on switchports are 3600 seconds. Why is reauthentication needed? Isn't it enough that a device is authenticated when it connects only?</P><P></P><P>When the reauthentication timer is set to server (<EM>authentication timer reauthenticate server</EM>), I guess that the server is ISE. Where in ISE do I configure the timer?</P><P></P><P>Regards,</P><P>Philip</P> Mon, 11 Mar 2019 04:00:58 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/2315594#M96971 Philip Vilhelmsson 2019-03-11T04:00:58Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/2315595#M96972 <HTML><HEAD></HEAD><BODY><P>Philip, </P><P></P><P>I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.</P><P>If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing. </P><P>So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time. </P><P></P><P>That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.</P><P></P><P>On ISE you can send auth timers from authorization policy</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/8/4/8/162848-Screen%20Shot%202013-10-18%20at%208.28.11%20PM.png" class="jive-image" /></P></BODY></HTML> Tue, 22 Oct 2013 08:15:13 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/2315595#M96972 Marcin Latosiewicz 2013-10-22T08:15:13Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3704632#M96973 <P>Which method is recommended? Doing reauthentication with switchport configuration or doing reauthentication with ise <SPAN>authorization policy?</SPAN></P> Tue, 11 Sep 2018 08:43:51 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3704632#M96973 pgerstenberger 2018-09-11T08:43:51Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3704938#M96974 Recommend looking at the best practice guide.<BR /><A href="https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515" target="_blank">https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515</A><BR /><BR />Setting it on ISE allows you to globally control and change it across all your network<BR /> Tue, 11 Sep 2018 15:15:34 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3704938#M96974 Jason Kunst 2018-09-11T15:15:34Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3711398#M96975 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/323015">@Marcin Latosiewicz</a>&nbsp;wrote:<BR /> <P>Philip,</P> <P>&nbsp;</P> <P>I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.</P> <P>If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.</P> <P>So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.</P> <P>&nbsp;</P> <P>That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.</P> <P>&nbsp;</P> <P>On ISE you can send auth timers from authorization policy</P> <P><IMG class="jive-image" src="http://supportforums.cisco.com/sites/default/files/legacy/8/4/8/162848-Screen%20Shot%202013-10-18%20at%208.28.11%20PM.png" border="0" /></P> <HR /></BLOCKQUOTE> <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/323015">@Marcin Latosiewicz</a>&nbsp;wrote:<BR /> <P>Philip,</P> <P>&nbsp;</P> <P>I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.</P> <P>If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.</P> <P>So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.</P> <P>&nbsp;</P> <P>That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.</P> <P>&nbsp;</P> <P>On ISE you can send auth timers from authorization policy</P> <P><IMG class="jive-image" src="http://supportforums.cisco.com/sites/default/files/legacy/8/4/8/162848-Screen%20Shot%202013-10-18%20at%208.28.11%20PM.png" border="0" /></P> <HR /></BLOCKQUOTE> <P>Is really necessary to specify the Radius Idle Timeout value in addition to the reauth timer? Will the Radius Idle Timeout suffice?</P> Fri, 21 Sep 2018 21:48:26 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3711398#M96975 toyip 2018-09-21T21:48:26Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3747655#M96976 <P>Hello,</P> <P>I will add the same question to this string. Does anyone know if the "Common Tasks" &gt; "Reauthentication Timer" set at 65,534 will also require the "Advanced Attributes Settings" &gt; Radius: Idle-Timeout to also be set at 65,534 seconds for the timed&nbsp;reauth to function?</P> <P>I have my Reauthentication Timer set at 65,534 and I am having no timed reauthentications take place.</P> Thu, 15 Nov 2018 20:54:50 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3747655#M96976 RSundstrom 2018-11-15T20:54:50Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3748360#M96977 Doesn’t sound right to me. Let me research this<BR /> Fri, 16 Nov 2018 19:54:04 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3748360#M96977 Jason Kunst 2018-11-16T19:54:04Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3748382#M96978 <P>As <A href="https://community.cisco.com/t5/user/viewprofilepage/user-id/199790" target="_blank">Jason Kunst</A>&nbsp;pointed out, that is not expected behavior if the value input without the comma; i.e. 65534.</P> <P>Please check the RADIUS authentication detailed report and see whether ISE sending down the specified timer value. If ISE does not, it seems an issue in your ISE. If ISE does, then there might be an issue in your NAD to use the value; please verify the configuration, see whether the remaining session timeout value decrementing as expected in "show auth session &lt;&gt; detail", and enable RADIUS debug on the NAD.</P> Fri, 16 Nov 2018 20:33:25 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3748382#M96978 hslai 2018-11-16T20:33:25Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3752008#M96979 <P>Additional information. I am authenticating these devices (printers) via MAB. Will the RADIUS reauthentication timer function while using MAB?</P> Fri, 23 Nov 2018 19:31:43 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/3752008#M96979 RSundstrom 2018-11-23T19:31:43Z https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/4274671#M564837 <P>Does this command cause disconnection of endpoints configured for posture. Is it recommended to use with NAM supplicant?</P> Mon, 18 Jan 2021 15:37:31 GMT https://community.cisco.com/t5/network-access-control/ise-reauthentication-timer/m-p/4274671#M564837 aravikumar 2021-01-18T15:37:31Z