Solved: Re: Best to do re-auth timer on switchport or ISE?

Josh Morris · ‎05-08-2019

I currently have my re-auth timer on my switchports set to 2 hours. After a recent ISE failure due to a bad patch, I realized that 2 hours was too low. It's also too difficult to change since I have to touch every switchport. I'm thinking it would be best to use radius attributes from ISE to set the re-auth timer, and to go to a longer re-auth timer...especially for my historically static devices. What are the general thoughts on this?

howon · ‎05-08-2019

I see many customers with 8 hours to 10 hours to cover work day. Max is around 18 hours for wired. If using MAB first before 802.1X make sure to send additional VSA (cisco-av-pair = termination-action-modifier=1) so endpoints are not disconnected during reauth: https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--1759816418

View solution in original post

Mike.Cifelli · ‎05-08-2019

So in my experience this is typically determined by your requirements. For example, I work at a site where the STIG requirements are re-auth every 60 minutes. Instead of statically assigning each port you can force re-auth in your authorization profiles. See below:

howon · ‎05-08-2019

I see many customers with 8 hours to 10 hours to cover work day. Max is around 18 hours for wired. If using MAB first before 802.1X make sure to send additional VSA (cisco-av-pair = termination-action-modifier=1) so endpoints are not disconnected during reauth: https://community.cisco.com/t5/security-documents/top-ten-mis-configured-cisco-ios-switch-settings-for-ise/ta-p/3643912#toc-hId--1759816418