topic Re: Cisco ISE: 802.1x Timers Best Practices / Re-authentication Time in Network Access Control

Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec) — Mon, 11 Mar 2019 03:50:46 GMT

Dear Folks,

Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?

Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?

Thanks,

Regards,

Mubasher

My Interface Configuration is as below;

---

interface GigabitEthernet1/34

switchport access vlan 131

switchport mode access

switchport voice vlan 195

ip access-group ACL-DEFAULT in

authentication event fail action authorize vlan 131

authentication event server dead action authorize vlan 131

authentication event server alive action reinitialize

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

snmp trap mac-notification change added

dot1x pae authenticator

dot1x timeout tx-period 5

storm-control broadcast level 30.00

spanning-tree portfast

spanning-tree bpduguard enable

----

Cisco ISE: 802.1x Timers Best Practices / Re-authentication Time

Anas Naqvi — Mon, 02 Sep 2013 18:31:29 GMT

Hello Mubashir,

Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).

The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.

Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.

Configure the tx-period timer.

C3750X(config-if-range)#dot1x timeout tx-period 10

Cisco ISE: 802.1x Timers Best Practices / Re-authentication Time

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec) — Wed, 04 Sep 2013 11:01:07 GMT

Dear Sir,

I already configured it as "dot1x timeout tx-period 5".

I have the situation that e.g., our users put the PC on sleep (or hibernate) on a regular basis... Sometimes, the dot1x gets stuck longer in POSTURE and sometime meets with the default policy, which is not acceptable.

Also, what does re-authentication timer do ? Can it help in this case?

Regards,

Mubasher Sultan

Re: Cisco ISE: 802.1x Timers Best Practices / Re-authentication Time

mohan.doss19 — Sun, 03 Jun 2018 09:43:51 GMT

Hi Team,

I am also facing the same issue , any suggestions pls