cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

636
Views
4
Helpful
8
Replies
Highlighted
Beginner

Changing Re Authentication timeout : Pros & Cons

Hi All,

We are expecting to change Re authentication timeout (Wireless Authentication) in a large deployment of ISE. From 3600 sec by default to 4 hours or 24 hours.

In both case 4h or 24h.

Do you see any restrictions on doing so ?

What can be the pros and the cons by changing re Authentication timeout?

Thank you very much for your answers.

Best regards.

Ludovic

8 REPLIES 8
Highlighted
Cisco Employee

Hi,

Check with Reauthentication section. Will give you better idea.

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-605524.html#wp9000518

Regards

Gagan

rate if it helps!!!!

Highlighted

Be considerate of the logging (radius accounting messages) and load (authentication protocol, identity store, eap-tls if used and the key length..etc) since this is a large deployment, you may want to consider centralizing this in ISE by using the session-timeout function.

What is the use case around reducing the reauthentication interval?

Consider redirections if they are a part of your policies..etc.

Thanks,

Highlighted

The purpose is just to reduce logs .

No redirection to consider on this case.

Regards

Highlighted

It is best practice to increase the authentication timer in order to reduce logs. However, that also decreases your security since devices/users are challenged less frequently. Thus, you run into a potential situation that a terminated user might still have access to your network. With that said, you should have a proper termination check list where the user/device is properly deleted/disabled and CoA issued :)

So in summary:

Higher timer = Lower logs amount and security

Lower timer = Higher logs amount and security

I hope this helps!

Thank you for rating helpful posts!

Highlighted

Yes it helps Neno.

Thank you very much for your answer.

regards

Highlighted

You are most welcome! Let us know if you have any additional questions/concerns. If not, then you should mark the thread as "answered" :)

Neno

Highlighted

How can i do that Neno?

Highlighted

You should be seeing a "Correct Answer" button under each reply. Click that button under the reply that you found most useful. Also, you can mark multiple answers as "correct."

Content for Community-Ad