
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2018 08:23 AM
Hi Experts,
I have a customer who is exploring 2FA authentication for wired dot1x and does not want to enable re-authentication so that users are prompted for credentials during re-auth.
Is there any downside to it other than the fact that endpoints who remain connected will remain authenticated until disconnected or rebooted.
The command aaa accounting update newinfo periodic 2880 will be there so that these active sessions will be maintained on ISE as well.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2018 12:34 PM
The main downside in my mind with turning off reauthentication is you are potentially hurting yourself in the future when you want to change security settings for authenticated users. Say at some point you want to do differential DACLs or apply SGT tags. All my MAB and Dot1x authorization profiles have reauth set to 65000 seconds (19 hours roughly). I know that any change in wired authorization profiles I make will be everywhere within 19 hours. If you shut off reauth you either manually have to go out and do "clear auth sessions" or wait for people to disconnect/reconnect.
Now in your case with 2FA you probably don't have a choice.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2018 09:13 AM
Yes, that is a valid option.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2018 12:34 PM
The main downside in my mind with turning off reauthentication is you are potentially hurting yourself in the future when you want to change security settings for authenticated users. Say at some point you want to do differential DACLs or apply SGT tags. All my MAB and Dot1x authorization profiles have reauth set to 65000 seconds (19 hours roughly). I know that any change in wired authorization profiles I make will be everywhere within 19 hours. If you shut off reauth you either manually have to go out and do "clear auth sessions" or wait for people to disconnect/reconnect.
Now in your case with 2FA you probably don't have a choice.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2018 01:14 PM
Thanks for your input Paul.
I already discussed this with them.
I also discussed a use case of certs getting revoked.
Thanks,
Utkarsh
