This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We are expecting to change Re authentication timeout (Wireless Authentication) in a large deployment of ISE. From 3600 sec by default to 4 hours or 24 hours.
In both case 4h or 24h.
Do you see any restrictions on doing so ?
What can be the pros and the cons by changing re Authentication timeout?
Thank you very much for your answers.
Check with Reauthentication section. Will give you better idea.
rate if it helps!!!!
Be considerate of the logging (radius accounting messages) and load (authentication protocol, identity store, eap-tls if used and the key length..etc) since this is a large deployment, you may want to consider centralizing this in ISE by using the session-timeout function.
What is the use case around reducing the reauthentication interval?
Consider redirections if they are a part of your policies..etc.
It is best practice to increase the authentication timer in order to reduce logs. However, that also decreases your security since devices/users are challenged less frequently. Thus, you run into a potential situation that a terminated user might still have access to your network. With that said, you should have a proper termination check list where the user/device is properly deleted/disabled and CoA issued :)
So in summary:
Higher timer = Lower logs amount and security
Lower timer = Higher logs amount and security
I hope this helps!
Thank you for rating helpful posts!
You should be seeing a "Correct Answer" button under each reply. Click that button under the reply that you found most useful. Also, you can mark multiple answers as "correct."