Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2077
Views
0
Helpful
8
Replies

Reauthentication Timer

Go to solution
Jason Weids
Level 1
Level 1

‎02-15-2019 03:07 AM

Hello,

 

Why do devices that are unknown or that have no authorization policy constantly try to reauth every minute? Surely once they have failed & denied access a few times then you don't want them constantly sending radius requests. Is there a way to change the reauth timer so it only reauth when the port transitions to "up connected"?

 

Jason 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎02-15-2019 05:35 AM

Unless you are doing a complete whitelisted setup, you really shouldn't be denying access to the network.  Every device should have an authorization policy applied.  The default policy should be a Limited Access policy with a DACL applied to allow access to the PSNs and DNS.  DNS is there to allow redirection to a portal if you want.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
paul
Level 10
Level 10

‎02-15-2019 05:35 AM

Unless you are doing a complete whitelisted setup, you really shouldn't be denying access to the network.  Every device should have an authorization policy applied.  The default policy should be a Limited Access policy with a DACL applied to allow access to the PSNs and DNS.  DNS is there to allow redirection to a portal if you want.

0 Helpful

Go to solution
Jason Weids
Level 1
Level 1
In response to paul

‎02-18-2019 01:37 AM

We are whitelisting. Nothing should be allowed to connect to the wired network in our environment unless it is a "known/trusted" device. The devices we are seeing which are not authorised are filling our live radius logs & it is these I want to limit.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Jason Weids

‎02-18-2019 05:36 AM

Even in a whitelisted setup I would still not deny as the last rule in the wired MAB policy set. Allow the connection and put a DACL on to limit access to the ISE PSNs and maybe other security products to allow a device not whitelisted to be profiled/scanned to gather information about it.


0 Helpful

Go to solution
Jason Weids
Level 1
Level 1
In response to paul

‎03-01-2019 02:24 AM

That really helpfull, That might be what you would do but in our environment we only allow authorised devices on the wired network.

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-15-2019 05:45 AM

If you are not using an ISE authorization policy result that pushes reauthentication timer then the fallback will be whatever you have configured on the host port.
dot1x reauthentication
dot1x timeout reauth-period (seconds)
Those commands will enable periodic re-authentication and set the number of seconds between re-authentication attempts.

HTH!
0 Helpful

Go to solution
Jason Weids
Level 1
Level 1
In response to Mike.Cifelli

‎02-18-2019 01:42 AM

Can you do this with MAB authentication?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-16-2019 01:16 PM

I agree with paul.

dot1x timeout quiet-period seems what you asked for.

0 Helpful

Go to solution
Jason Weids
Level 1
Level 1
In response to hslai

‎02-18-2019 01:41 AM

I probably should have mentioned we are doing MAB authentication not dot1x

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents