topic WLC / ISE Session extension in Wireless

WLC / ISE Session extension

niknik — Mon, 05 Jul 2021 19:24:18 GMT

I wonder if it is possible to extend session on WLC or ISE? On WLC, I know about Session Timeouts (300-86400s for 802.1X(EAP)), but I need to extend more than that. I need features like Sleeping Clients, but for L2 security. I need my session to remain for more than one day. Is it possible on ISE, maybe?

Thanks in advance,

Nik

Re: WLC / ISE Session extension

Scott Fella — Mon, 17 Aug 2020 09:00:39 GMT

What is the reason you would want to extend this longer? The reason to have sleeping client really was for webauth with iOS devices and to prevent the webauth page to appear to users. With 802.1x and psk for example, what would be the purpose? When the idle timer expires from the device not responding to probes, the controller removes the device from its tables and the device would have to perform a normal authentication to be allowed on the network. Seems like you have devices that just stop working overnight or something?

Re: WLC / ISE Session extension

niknik — Mon, 17 Aug 2020 09:17:58 GMT

Hello Scott,

Thank you for fast reply.

Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed. It was a bit confusing to me, so I wanted to check with community.

Re: WLC / ISE Session extension

Scott Fella — Mon, 17 Aug 2020 09:28:39 GMT

Wow... that is typically the opposite. Security wants this lower so that devices that are compromised gets the cert revoked or device gets removed from the domain and the device no longer can get connected.

Re: WLC / ISE Session extension

Scott Fella — Mon, 17 Aug 2020 16:21:46 GMT

Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed.

Just keep in mind that this is not possible and that is what you need to explain to your customer. The simple solution for this is to use certificates (EAP-TLS) or look at computer authentication. The idea that a users AD credentials would get exposed is an issue to wired and wireless and that should be addressed another way. If using ISE and AD username/password, then you would need to define a policy on ISE to look if already authenticated. This would not allow any users to access from another device which many might have more than one machine.

Re: WLC / ISE Session extension

niknik — Mon, 17 Aug 2020 17:27:13 GMT

Thank you Scott. Your explanation is really great. I wanted to be sure that WLC is not place where this problem can be solved.

Re: WLC / ISE Session extension

Scott Fella — Mon, 17 Aug 2020 19:31:34 GMT

There is no wlc setting to allow that behavior.