Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1595
Views
0
Helpful
3
Replies

Disable Re-Authentication timers for wired

Go to solution
umahar
Cisco Employee
Cisco Employee

‎05-01-2018 08:23 AM

Hi Experts,

I have a customer who is exploring 2FA authentication for wired dot1x and does not want to enable re-authentication so that users are prompted for credentials during re-auth.

Is there any downside to it other than the fact that endpoints who remain connected will remain authenticated until disconnected or rebooted.

The command aaa accounting update newinfo periodic 2880 will be there so that these active sessions will be maintained on ISE as well.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-01-2018 12:34 PM

The main downside in my mind with turning off reauthentication is you are potentially hurting yourself in the future when you want to change security settings for authenticated users.  Say at some point you want to do differential DACLs or apply SGT tags.  All my MAB and Dot1x authorization profiles have reauth set to 65000 seconds (19 hours roughly).  I know that any change in wired authorization profiles I make will be everywhere within 19 hours.  If you shut off reauth you either manually have to go out and do "clear auth sessions" or wait for people to disconnect/reconnect.

Now in your case with 2FA you probably don't have a choice.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎05-01-2018 09:13 AM

Yes, that is a valid option.

0 Helpful

Go to solution
paul
Level 10
Level 10

‎05-01-2018 12:34 PM

The main downside in my mind with turning off reauthentication is you are potentially hurting yourself in the future when you want to change security settings for authenticated users.  Say at some point you want to do differential DACLs or apply SGT tags.  All my MAB and Dot1x authorization profiles have reauth set to 65000 seconds (19 hours roughly).  I know that any change in wired authorization profiles I make will be everywhere within 19 hours.  If you shut off reauth you either manually have to go out and do "clear auth sessions" or wait for people to disconnect/reconnect.

Now in your case with 2FA you probably don't have a choice.

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to paul

‎05-01-2018 01:14 PM

Thanks for your input Paul.

I already discussed this with them.

I also discussed a use case of certs getting revoked.

Thanks,

Utkarsh

0 Helpful
Customers Also Viewed These Support Documents