Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3681
Views
5
Helpful
1
Replies

ISE Fast Reconnect

Go to solution
Dan Davis
Cisco Employee
Cisco Employee

‎12-16-2017 06:30 AM

Hi,

I have a Cisco AnyConnect NAM client being used on Win7. We are using 802.1x/EAP with Cisco WLC/APs.

Since Jabber will also be used we need to have a key caching protocol so we don't do a full authentication to ISE on every AP to AP roam. AnyConnect NAM does not support such a protocol.

Would fast reconnect work as an alternative to a key caching protocol such as 802.11r?

Will the roam time from AP to AP be below 150ms to assure a good voice over Wi-Fi call?

If yes, then is this supported across all PSNs?

Is there a timer that would force a full authentication at some point?

Can we expect the same with PEAP or TLS?

I have reviewed BRKSEC-3699-cl17 - Cisco Live. Slide 50/51.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-17-2017 05:40 PM

Fast Reconnect is part of EAP protocols and Microsoft MSDN 5.1.1 Fast Reconnect shows it allows sessions to be resumed without completing a full authentication. Prevent Large-Scale Wireless RADIUS Network Melt Downs > Best Practice Tuning  also advises it a good practice to enable it.


However, this is not a substitute to any of the key caching mechanism offered by our wireless team, such as those explained in

802.11 WLAN Roaming and Fast-Secure Roaming on CUWN - Cisco. The wireless controller needs to consult with ISE to verify the client authentications when using EAP fast reconnect solely. Thus, video or voice applications might have some impact. Please consult with our wireless support team on timing measurements.


ISE 2.2 introduces stateless session resumption for EAP-TLS so that s session ticket issued by one node is accepted by another in the same deployment. The regular session resumes in PEAP and EAP-TLS require the the session state stored on the server so not usable on another node.


View solution in original post

1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-17-2017 05:40 PM

Fast Reconnect is part of EAP protocols and Microsoft MSDN 5.1.1 Fast Reconnect shows it allows sessions to be resumed without completing a full authentication. Prevent Large-Scale Wireless RADIUS Network Melt Downs > Best Practice Tuning  also advises it a good practice to enable it.


However, this is not a substitute to any of the key caching mechanism offered by our wireless team, such as those explained in

802.11 WLAN Roaming and Fast-Secure Roaming on CUWN - Cisco. The wireless controller needs to consult with ISE to verify the client authentications when using EAP fast reconnect solely. Thus, video or voice applications might have some impact. Please consult with our wireless support team on timing measurements.


ISE 2.2 introduces stateless session resumption for EAP-TLS so that s session ticket issued by one node is accepted by another in the same deployment. The regular session resumes in PEAP and EAP-TLS require the the session state stored on the server so not usable on another node.


Customers Also Viewed These Support Documents