cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2411
Views
20
Helpful
16
Replies
Cisco Employee

Re: ISE: Reauthentication Timers

Good procedure to keep in mind is whenever interface setting has been changed, always shut/no shut the interface to remove any odd states such as this. This includes host-mode, timers, order, priority. Reauthentication may not remove certain state whereas terminate would have. Also, when 'authentication periodic' is enabled and 'authentication timer reauthenticate server' is missing, the switch will default to 1 hour as noted. However, if 'authentication timer reauthenticate server' is in place then no timer will be set unless sent from ISE.

Beginner

Re: ISE: Reauthentication Timers

Hi Maxee,

 

The behaviour that you will get with this config is the following:

Endpoint connects and 802.1x is checked.

 the switch will try for (3+1) x 5 sec in case 802.1x fails to fall to MAB authentication.

Once authenticated the reauthentication timer countdown begins (as defined by the server attribute 27 i think).

The switch will reautheticate the port transparently.

-if you want you can disable the reauthentication by the following cmd on int:

no authentication periodic.

However it is advisable to have it but better to put the reauthentication timer to high value (lets say 8 hours).

Reauthentication timer is usefull if you perform a change in your Authz profile and you want to reflect the change to already authenticated devices.

 

if you don't set this timer and authentication periodic is there, then the default is 1 Hour.

 

Please rate if helpfull.