Solved: Cisco ISE reauthentication best practices

pgerstenberger · ‎09-11-2018

Hello Community,

we want to reauthenticate our Endpoints. Which way is recommended? Set reauthentication at the Cisco ISE Authorization Profile or at the switch port? And which timers are best practice? We use ISE version 2.1.

Thanks and best regards,

Philipp

Arne Bier · ‎09-11-2018

Hey Philipp

I assume you're talking about wired NAS?

I found this document really handy to answer your question

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.pdf

Check out pages 19 and 20. The Termination-Action attributes are quite interesting too. I think I might have to start using those myself ;-)

View solution in original post

paul · ‎09-11-2018

Use ISE to control the reauthentication timer by setting the following on the switchports:

authentication periodic
authentication timer reauthenticate server

Then set the reauthentication timer in ISE. I set a reauthentication timer of 65,000 seconds on all my wired results. Reauthentications ensures two things:

I have an accurate picture what is on my network every day.
If I change a policy, i.e. push a new DACL or SGT tag, I know the devices associated with that policy will get the change within a day.

View solution in original post

Arne Bier · ‎09-11-2018

Hey Philipp

I assume you're talking about wired NAS?

I found this document really handy to answer your question

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.pdf

Check out pages 19 and 20. The Termination-Action attributes are quite interesting too. I think I might have to start using those myself ;-)

paul · ‎09-11-2018

Use ISE to control the reauthentication timer by setting the following on the switchports:

authentication periodic
authentication timer reauthenticate server

Then set the reauthentication timer in ISE. I set a reauthentication timer of 65,000 seconds on all my wired results. Reauthentications ensures two things:

I have an accurate picture what is on my network every day.
If I change a policy, i.e. push a new DACL or SGT tag, I know the devices associated with that policy will get the change within a day.

pgerstenberger · ‎09-11-2018

Hey Paul,

thank you very much for the post. I set the reauthentication at the ISE and it workes! Only one more question. Under Radius-Live Sessions I can see that it is "terminated" after I disconnected the PC.
(Connection: Switch <- Phone <- PC)
This was not working without the reauth because the telephone is not telling the ISE that the session to the PC is now disconnected. But in Radius-Live Logs I still see the session as "active". When is ISE killing the session in Live Logs?

Thanks
Philipp

paul · ‎09-11-2018

What type of phones do you have and are the PC's behind the phones doing 802.1x? If the PCs are doing 802.1x and the phones are doing EAP Proxy Logoff correctly the switch should be terminating the PC's session and communicating that to ISE. If the phone doesn't support EAP proxy Logoff you can also set an inactivity timer as well in ISE if there is a concern about that session hanging out there. I usually don't use the inactivity timer.

pgerstenberger · ‎09-11-2018

Hi Paul,
thanks for the detailed information. But I think that our phones do not support EAP Proxy Logoff.... :( Yes, the PCs behind the phones doing 802.1x. So we have to look for the inactivity timer.
Again thank you very much for the support!

For those who are interested in setup 802.1x behind VOIP Phone refer to this cisco guide:

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html

Cheers,
Philipp