05-25-2017 08:46 PM
When changing CA and local certificates for users performing EAP authentication would wireless clients that have existing sessions be forced to re-authenticate or would their existing sessions continue to persist?
Thanks
Solved! Go to Solution.
05-25-2017 09:08 PM
Certificates is used for authentication and not a mechanism to re-authenticate or do a change of authorization. In BYOD use case it is different and I am assuming this is wireless dot1x.
If you change the client certificates and use EAP-TLS – client authentication then it depends on the re-authentication timers in WLC, from ISE if using Radius session timeout.
Also if you use session-resume, supplicant will resume the same session using cache. However if you don’t then it will do a full reauthentication.
Long story short it is a best practice to force reauthentication if you are concerned about expired certificate etc.
-Krishnan
05-25-2017 09:08 PM
Certificates is used for authentication and not a mechanism to re-authenticate or do a change of authorization. In BYOD use case it is different and I am assuming this is wireless dot1x.
If you change the client certificates and use EAP-TLS – client authentication then it depends on the re-authentication timers in WLC, from ISE if using Radius session timeout.
Also if you use session-resume, supplicant will resume the same session using cache. However if you don’t then it will do a full reauthentication.
Long story short it is a best practice to force reauthentication if you are concerned about expired certificate etc.
-Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide