Re: ISE: Reauthentication Timers - Page 2

Maxee · ‎02-27-2019

Good day all,

I'm having some trouble understanding the reauthentication timers or configuration on IOS and ISE.

We are using the "Closed Mode"-deployment, where we authenticate clients with certificates or mac address and security groups in Active Directory to tell the switchport which VLAN to use. That works fine with our current setup (but with some issues with PXE, where we have to set the tx-period differently on different switch models).

We've deployed IP-Phones (not Cisco) with integrated pass-through port for computers, which we have to keep in mind.

This is the default switchport configuration we deploy for all our switches since we migrated from ACS to ISE.

interface GigabitEthernet0/48
description Default
switchport access vlan XX
switchport mode access
switchport voice vlan XX
authentication control-direction in
authentication event server dead action authorize vlan XX
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server dynamic
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 3
spanning-tree portfast edge
spanning-tree bpduguard enable
spanning-tree guard root
!

Now the main issue is that the ISE live logs gets spammed with "Session is started" messages or reauthentications (sometimes simultaneously when the switch was rebooted and all devices authenticated at the same time). My understanding was that if we set "authentication timer reauthenticate server" the ISE dictates the timers, and if we don't set timers on the ISE the reauthentication is disabled. Well that was wrong...

So how can I do better on ISE and the switches to get the optimal results?

Thanks.

howon · ‎02-28-2019

Good procedure to keep in mind is whenever interface setting has been changed, always shut/no shut the interface to remove any odd states such as this. This includes host-mode, timers, order, priority. Reauthentication may not remove certain state whereas terminate would have. Also, when 'authentication periodic' is enabled and 'authentication timer reauthenticate server' is missing, the switch will default to 1 hour as noted. However, if 'authentication timer reauthenticate server' is in place then no timer will be set unless sent from ISE.

bern81 · ‎03-08-2019

Hi Maxee,

The behaviour that you will get with this config is the following:

Endpoint connects and 802.1x is checked.

the switch will try for (3+1) x 5 sec in case 802.1x fails to fall to MAB authentication.

Once authenticated the reauthentication timer countdown begins (as defined by the server attribute 27 i think).

The switch will reautheticate the port transparently.

-if you want you can disable the reauthentication by the following cmd on int:

no authentication periodic.

However it is advisable to have it but better to put the reauthentication timer to high value (lets say 8 hours).

Reauthentication timer is usefull if you perform a change in your Authz profile and you want to reflect the change to already authenticated devices.

if you don't set this timer and authentication periodic is there, then the default is 1 Hour.

Please rate if helpfull.