Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3808
Views
5
Helpful
7
Replies

Reauthenticate 300 devices

Alex Pfeil
Level 7
Level 7

‎12-22-2014 09:14 AM - edited ‎03-10-2019 10:17 PM

I need to force re-authentication of approximately 300 devices. Is there an easy way to force specific devices to reauthenticate using ISE.  Is there an ISE CLI command, etc.?

I was manually going to lookup the device in ISE to see which switch and port the device is located on.  Then I was going to sign onto the switch and manually re-authenticate the device.

I cannot use authentication live authentications and CoA because the devices have not authenticated in the last 24 hours.

Thanks for any help with this question.

Thanks,

Alex

Labels:
0 Helpful
7 Replies 7

jan.nielsen
Level 7
Level 7

‎12-22-2014 04:21 PM

If you know the specific devices, either by the way theu authenticate, or by an authz rule, you can have the switch/wlc do the re-auth by adjusting the timers in your ISE authz result. This way you can specify re-authentication dynamically from ISE

Alex Pfeil
Level 7
Level 7
In response to jan.nielsen

‎12-22-2014 04:23 PM

If I adjust the authorization reauthentication timer, it will cause all the devices to reauthenticate?

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to Alex Pfeil

‎12-22-2014 04:23 PM

In results in ISE?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Alex Pfeil

‎12-22-2014 09:49 PM

Yes what Jan suggested will do the trick (+5 from me). And yes, he is referring to the re-auth timer located in the "authorization profile" in ISE. Any endpoints that get that "authorization profile" will then inherit the re-auth timer as well. Thus, if you want different devices to have different re-auth timer then you can create multiple authorization rules and multiple authorization profiles. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

Alex Pfeil
Level 7
Level 7
In response to nspasov

‎12-22-2014 10:48 PM

One last question:

If the devices currently do not have a reauth timer set, will setting the reauth timer to 3600 seconds cause all of those devices using that authorization profile to reauthenticate right away, and then they will start authenticating every 3600 seconds after that.  Or, will they acquire those settings over time and then start to periodicaly authenticate after acquiring those settings?

Thanks,

Alex

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to Alex Pfeil

‎12-22-2014 10:52 PM

Even more specifically, the devices are already setup on the network and using ISE, but have never been required to reauthenticate.  So I need a way to force them to reauthenticate easily.

Thanks,

Alex

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Alex Pfeil

‎12-22-2014 11:36 PM

The re-auth timer is going to be applied via the "authorization profile" as a Radius attribute. Thus, I believe any existing sessions will not get the attribute until they are manually re-authenticated (via a port bounce or authentication session reset). Thus, I believe you need to do the following:

1. Create the authorization profile with the appropriate re-auth timer

2. Apply the authorization profile to the appropriate authorization rule

3. Add the following command on your switchports: 

authentication timer reauthenticate server

4. Manually reset the existing sessions via one of the following:

1. shut / no shut the ports

2. Issue "clear authentication session interface interface_name_number"

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents