Solved: How important is the inactivity-timer?

Leroy Plock · ‎04-06-2020

Hi. We are having some problems with the arp probe not working to reset the inactivity timer after upgrading some switches to 16.9.4. For some "quiet" devices, the session is dropping as soon as the inactivity timer (idle timeout) expires, it looks like the probe is not working at all.

I'm working through this issue with Cisco but it's taking time. Meanwhile the easiest workaround is to disable the inactivity-timer.

What do I lose from a security standpoint if I disable the inactivity-timer?

Do I even need the inactivity-timer if all endpoints are directly connected to the NAC-enabled switch, with no intermediate hubs or switches?

Thanks for any clues.

Colby LeMaire · ‎04-06-2020

The benefit of the inactivity timer is to ensure that a port is not left open when no device is there sending traffic. 802.1x sessions won't close if the link-state stays up. So there is a risk of someone using a powered hub or transceiver to keep the link-state up while they authenticate with a good machine and then swap it out with a rogue device that is spoofing the MAC address. You can't really guarantee that those devices are not in use and you really cannot detect them. So it is a good idea to have the inactivity timer there if your organization requires greater levels of security and they believe that rogue devices could potentially access sensitive resources. As with all security controls, it is a balance of protection and usability. Maybe a session timeout of every 12 hours is enough and you don't need the inactivity timer. It is a policy decision that your organization will have to make based on the risk.

View solution in original post

Colby LeMaire · ‎04-06-2020

The benefit of the inactivity timer is to ensure that a port is not left open when no device is there sending traffic. 802.1x sessions won't close if the link-state stays up. So there is a risk of someone using a powered hub or transceiver to keep the link-state up while they authenticate with a good machine and then swap it out with a rogue device that is spoofing the MAC address. You can't really guarantee that those devices are not in use and you really cannot detect them. So it is a good idea to have the inactivity timer there if your organization requires greater levels of security and they believe that rogue devices could potentially access sensitive resources. As with all security controls, it is a balance of protection and usability. Maybe a session timeout of every 12 hours is enough and you don't need the inactivity timer. It is a policy decision that your organization will have to make based on the risk.