cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
0
Helpful
3
Replies

Disable Re-Authentication timers for wired

umahar
Cisco Employee
Cisco Employee

Hi Experts,

I have a customer who is exploring 2FA authentication for wired dot1x and does not want to enable re-authentication so that users are prompted for credentials during re-auth.

Is there any downside to it other than the fact that endpoints who remain connected will remain authenticated until disconnected or rebooted.

The command aaa accounting update newinfo periodic 2880 will be there so that these active sessions will be maintained on ISE as well.

1 Accepted Solution

Accepted Solutions

paul
Advocate
Advocate

The main downside in my mind with turning off reauthentication is you are potentially hurting yourself in the future when you want to change security settings for authenticated users.  Say at some point you want to do differential DACLs or apply SGT tags.  All my MAB and Dot1x authorization profiles have reauth set to 65000 seconds (19 hours roughly).  I know that any change in wired authorization profiles I make will be everywhere within 19 hours.  If you shut off reauth you either manually have to go out and do "clear auth sessions" or wait for people to disconnect/reconnect.

Now in your case with 2FA you probably don't have a choice.

View solution in original post

3 Replies 3

Craig Hyps
Advocate
Advocate

Yes, that is a valid option.

paul
Advocate
Advocate

The main downside in my mind with turning off reauthentication is you are potentially hurting yourself in the future when you want to change security settings for authenticated users.  Say at some point you want to do differential DACLs or apply SGT tags.  All my MAB and Dot1x authorization profiles have reauth set to 65000 seconds (19 hours roughly).  I know that any change in wired authorization profiles I make will be everywhere within 19 hours.  If you shut off reauth you either manually have to go out and do "clear auth sessions" or wait for people to disconnect/reconnect.

Now in your case with 2FA you probably don't have a choice.

umahar
Cisco Employee
Cisco Employee

Thanks for your input Paul.

I already discussed this with them.

I also discussed a use case of certs getting revoked.

Thanks,

Utkarsh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers