cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

524
Views
0
Helpful
1
Replies
Highlighted
Beginner

How important is the inactivity-timer?

Hi. We are having some problems with the arp probe not working to reset the inactivity timer after upgrading some switches to 16.9.4. For some "quiet" devices, the session is dropping as soon as the inactivity timer (idle timeout) expires, it looks like the probe is not working at all.

 

I'm working through this issue with Cisco but it's taking time. Meanwhile the easiest workaround is to disable the inactivity-timer.

 

What do I lose from a security standpoint if I disable the inactivity-timer?

Do I even need the inactivity-timer if all endpoints are directly connected to the NAC-enabled switch, with no intermediate hubs or switches?

 

Thanks for any clues.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

The benefit of the inactivity timer is to ensure that a port is not left open when no device is there sending traffic.  802.1x sessions won't close if the link-state stays up.  So there is a risk of someone using a powered hub or transceiver to keep the link-state up while they authenticate with a good machine and then swap it out with a rogue device that is spoofing the MAC address.  You can't really guarantee that those devices are not in use and you really cannot detect them.  So it is a good idea to have the inactivity timer there if your organization requires greater levels of security and they believe that rogue devices could potentially access sensitive resources.  As with all security controls, it is a balance of protection and usability.  Maybe a session timeout of every 12 hours is enough and you don't need the inactivity timer.  It is a policy decision that your organization will have to make based on the risk.

View solution in original post

1 REPLY 1
Highlighted
Rising star

The benefit of the inactivity timer is to ensure that a port is not left open when no device is there sending traffic.  802.1x sessions won't close if the link-state stays up.  So there is a risk of someone using a powered hub or transceiver to keep the link-state up while they authenticate with a good machine and then swap it out with a rogue device that is spoofing the MAC address.  You can't really guarantee that those devices are not in use and you really cannot detect them.  So it is a good idea to have the inactivity timer there if your organization requires greater levels of security and they believe that rogue devices could potentially access sensitive resources.  As with all security controls, it is a balance of protection and usability.  Maybe a session timeout of every 12 hours is enough and you don't need the inactivity timer.  It is a policy decision that your organization will have to make based on the risk.

View solution in original post