cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
42317
Views
15
Helpful
9
Replies

ISE: Reauthentication timer

Hi,

I am doing authentication of endpoint devices. The default reauthentication timer on switchports are 3600 seconds. Why is reauthentication needed? Isn't it enough that a device is authenticated when it connects only?

When the reauthentication timer is set to server (authentication timer reauthenticate server), I guess that the server is ISE. Where in ISE do I configure the timer?

Regards,

Philip

3 Accepted Solutions

Accepted Solutions

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Philip,

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

On ISE you can send auth timers from authorization policy

View solution in original post

Recommend looking at the best practice guide.
https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

Setting it on ISE allows you to globally control and change it across all your network

View solution in original post

As Jason Kunst pointed out, that is not expected behavior if the value input without the comma; i.e. 65534.

Please check the RADIUS authentication detailed report and see whether ISE sending down the specified timer value. If ISE does not, it seems an issue in your ISE. If ISE does, then there might be an issue in your NAD to use the value; please verify the configuration, see whether the remaining session timeout value decrementing as expected in "show auth session <> detail", and enable RADIUS debug on the NAD.

View solution in original post

9 Replies 9

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Philip,

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

On ISE you can send auth timers from authorization policy

Which method is recommended? Doing reauthentication with switchport configuration or doing reauthentication with ise authorization policy?

Recommend looking at the best practice guide.
https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

Setting it on ISE allows you to globally control and change it across all your network


@Marcin Latosiewicz wrote:

Philip,

 

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

 

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

 

On ISE you can send auth timers from authorization policy



@Marcin Latosiewicz wrote:

Philip,

 

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

 

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

 

On ISE you can send auth timers from authorization policy


Is really necessary to specify the Radius Idle Timeout value in addition to the reauth timer? Will the Radius Idle Timeout suffice?

Hello,

I will add the same question to this string. Does anyone know if the "Common Tasks" > "Reauthentication Timer" set at 65,534 will also require the "Advanced Attributes Settings" > Radius: Idle-Timeout to also be set at 65,534 seconds for the timed reauth to function?

I have my Reauthentication Timer set at 65,534 and I am having no timed reauthentications take place.

Doesn’t sound right to me. Let me research this

As Jason Kunst pointed out, that is not expected behavior if the value input without the comma; i.e. 65534.

Please check the RADIUS authentication detailed report and see whether ISE sending down the specified timer value. If ISE does not, it seems an issue in your ISE. If ISE does, then there might be an issue in your NAD to use the value; please verify the configuration, see whether the remaining session timeout value decrementing as expected in "show auth session <> detail", and enable RADIUS debug on the NAD.

Additional information. I am authenticating these devices (printers) via MAB. Will the RADIUS reauthentication timer function while using MAB?

Does this command cause disconnection of endpoints configured for posture. Is it recommended to use with NAM supplicant?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: