Is there a way to randomise the time for the reauthentication for ISE clients? When we select "Reauthentication" in the authorization profile it asks me an exact time in seconds to do the reauthentication. If possible, I would like to enter a range of time with min and max values, and ISE can select a random time from that range for each client.
My aim is to distribute the load on ISE to a wide range of time. Currently, in the morning all of the clients are logging in approximately in half an hour then after the reauthentication time same thing goes on again in half an hour. It would be great to widen this time to an hour or a couple of hours.
Recommended reauth / session timeout value is 2 hours. To Jason's point, you typically do not need to reauth very often. Idle timeouts are typically used to detect cases where user no longer present, especially if clients not directly connecting to switchport. If directly connected, then typically no reason to reauth until disconnect and reconnect, and this happens automatically. You may want to compromise and set reauth to 1/day with RADIUS Accounting updates being sent every 2-3 days to keep session status updated in ISE.