Changing Re Authentication timeout : Pros & Cons
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2016 07:56 AM - edited 03-11-2019 12:14 AM
Hi All,
We are expecting to change Re authentication timeout (Wireless Authentication) in a large deployment of ISE. From 3600 sec by default to 4 hours or 24 hours.
In both case 4h or 24h.
Do you see any restrictions on doing so ?
What can be the pros and the cons by changing re Authentication timeout?
Thank you very much for your answers.
Best regards.
Ludovic
- Labels:
-
AAA

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2016 03:08 PM
Hi,
Check with Reauthentication section. Will give you better idea.
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-605524.html#wp9000518
Regards
Gagan
rate if it helps!!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2016 03:18 PM
Be considerate of the logging (radius accounting messages) and load (authentication protocol, identity store, eap-tls if used and the key length..etc) since this is a large deployment, you may want to consider centralizing this in ISE by using the session-timeout function.
What is the use case around reducing the reauthentication interval?
Consider redirections if they are a part of your policies..etc.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2017 10:35 AM
The purpose is just to reduce logs .
No redirection to consider on this case.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2017 11:05 AM
It is best practice to increase the authentication timer in order to reduce logs. However, that also decreases your security since devices/users are challenged less frequently. Thus, you run into a potential situation that a terminated user might still have access to your network. With that said, you should have a proper termination check list where the user/device is properly deleted/disabled and CoA issued :)
So in summary:
Higher timer = Lower logs amount and security
Lower timer = Higher logs amount and security
I hope this helps!
Thank you for rating helpful posts!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2017 03:51 AM
Yes it helps Neno.
Thank you very much for your answer.
regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-06-2017 02:49 PM
You are most welcome! Let us know if you have any additional questions/concerns. If not, then you should mark the thread as "answered" :)
Neno
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2017 03:41 AM
How can i do that Neno?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2017 10:45 AM
You should be seeing a "Correct Answer" button under each reply. Click that button under the reply that you found most useful. Also, you can mark multiple answers as "correct."
