12-22-2014 09:14 AM - edited 03-10-2019 10:17 PM
I need to force re-authentication of approximately 300 devices. Is there an easy way to force specific devices to reauthenticate using ISE. Is there an ISE CLI command, etc.?
I was manually going to lookup the device in ISE to see which switch and port the device is located on. Then I was going to sign onto the switch and manually re-authenticate the device.
I cannot use authentication live authentications and CoA because the devices have not authenticated in the last 24 hours.
Thanks for any help with this question.
Thanks,
Alex
12-22-2014 04:21 PM
If you know the specific devices, either by the way theu authenticate, or by an authz rule, you can have the switch/wlc do the re-auth by adjusting the timers in your ISE authz result. This way you can specify re-authentication dynamically from ISE
12-22-2014 04:23 PM
If I adjust the authorization reauthentication timer, it will cause all the devices to reauthenticate?
12-22-2014 04:23 PM
In results in ISE?
12-22-2014 09:49 PM
Yes what Jan suggested will do the trick (+5 from me). And yes, he is referring to the re-auth timer located in the "authorization profile" in ISE. Any endpoints that get that "authorization profile" will then inherit the re-auth timer as well. Thus, if you want different devices to have different re-auth timer then you can create multiple authorization rules and multiple authorization profiles.
Thank you for rating helpful posts!
12-22-2014 10:48 PM
One last question:
If the devices currently do not have a reauth timer set, will setting the reauth timer to 3600 seconds cause all of those devices using that authorization profile to reauthenticate right away, and then they will start authenticating every 3600 seconds after that. Or, will they acquire those settings over time and then start to periodicaly authenticate after acquiring those settings?
Thanks,
Alex
12-22-2014 10:52 PM
Even more specifically, the devices are already setup on the network and using ISE, but have never been required to reauthenticate. So I need a way to force them to reauthenticate easily.
Thanks,
Alex
12-22-2014 11:36 PM
The re-auth timer is going to be applied via the "authorization profile" as a Radius attribute. Thus, I believe any existing sessions will not get the attribute until they are manually re-authenticated (via a port bounce or authentication session reset). Thus, I believe you need to do the following:
1. Create the authorization profile with the appropriate re-auth timer
2. Apply the authorization profile to the appropriate authorization rule
3. Add the following command on your switchports:
authentication timer reauthenticate server
4. Manually reset the existing sessions via one of the following:
1. shut / no shut the ports
2. Issue "clear authentication session interface interface_name_number"
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide