Solved: Authentication Periodic

Alex Pfeil · ‎12-05-2019

I had a couple of questions regarding authentication periodic.

If you do not have authentication periodic configured on a switch port, does that mean a device will only have to authenticate 1 time until the inactivity timer expires?

Would it be a bad practice to only authenticate devices 1 time?

Colby LeMaire · ‎12-05-2019

A couple of things come to mind. First, from a security perspective, someone could use a hub or other device that keeps the link state of the port up and is able to plug a rogue device in after the good device authenticates. Then the rogue device would have access seemingly for a long period of time without having to reauthenticate. Reauthenticating at least every 12 hours may not stop this activity but would cause the rogue actor some headaches.

Second, for visibility, troubleshooting, and/or reporting, you may miss some devices if they haven't authenticated in the previous day or so. ISE Live Logs only go back for 24 hours. And some of the reporting gets slow if you try to go back more than 7 days. I personally like to be able to filter on an IP, MAC address, or username/machine name to be able to see whether someone is online and what switch/port they are on. You wouldn't be able to trust the Live Logs if you aren't sure if they authenticated recently or not.

View solution in original post

Colby LeMaire · ‎12-05-2019

A couple of things come to mind. First, from a security perspective, someone could use a hub or other device that keeps the link state of the port up and is able to plug a rogue device in after the good device authenticates. Then the rogue device would have access seemingly for a long period of time without having to reauthenticate. Reauthenticating at least every 12 hours may not stop this activity but would cause the rogue actor some headaches.

Second, for visibility, troubleshooting, and/or reporting, you may miss some devices if they haven't authenticated in the previous day or so. ISE Live Logs only go back for 24 hours. And some of the reporting gets slow if you try to go back more than 7 days. I personally like to be able to filter on an IP, MAC address, or username/machine name to be able to see whether someone is online and what switch/port they are on. You wouldn't be able to trust the Live Logs if you aren't sure if they authenticated recently or not.