cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6061
Views
1
Helpful
3
Replies

What is the best practice for Cisco ISE idle timeout and session timeout

Freemen
Level 1
Level 1

Hi Everyone, for a new deployment, what is the ideal idle timeout and session timeout for Cisco ISE with posture deployment.

 

1 Accepted Solution

Accepted Solutions

Personally, I prefer to have a consistent switchport config across all ports and switches.  Because over time, docking stations can move, some people may change the port to match another port during troubleshooting, etc.  It is too hard to keep track of which ports have docking stations and then to ensure that the configurations aren't changed over time.  So for the idle-timeout, I would recommend configuring the port to use the server setting from ISE.  In ISE, apply it within your PC/workstation authorization profile and push it down from ISE.  That way it will only apply to ports that could possibly have a docking station.

For session timeout/reauthentication, I think 8 is fine or even 12 hours.  That will ensure that a machine that stays online will be authenticated at least once every 24 hours so it will always show up in the Live Logs and reports.

View solution in original post

3 Replies 3

Colby LeMaire
VIP Alumni
VIP Alumni

Neither is recommended for every deployment.  Periodic reauthentication and/or idle timeout are not necessary in most environments where devices are directly connected to the switchports and not behind some hub, docking station, or transceiver that keeps the link state up on the switch.  So the answer is to use it only when you have to because of the environmental situation.  Some compliance programs like within the DoD require reauthentication every 60 minutes and I can imagine that other programs reuse the DoD requirements.  So it really comes down to your environment and how tight security wants to be.  Its a tradeoff.  You make it tougher for the attacker at the detriment of ISE scalability, because of the additional authentication traffic hitting ISE.

my enviroment some laptop is behind the docking station, can I say I better only apply idle timeout on the port level at those docking station, and other remove the idle timeout from ISE.

 

session timeout, maybe every 8 hour seam ok.

Personally, I prefer to have a consistent switchport config across all ports and switches.  Because over time, docking stations can move, some people may change the port to match another port during troubleshooting, etc.  It is too hard to keep track of which ports have docking stations and then to ensure that the configurations aren't changed over time.  So for the idle-timeout, I would recommend configuring the port to use the server setting from ISE.  In ISE, apply it within your PC/workstation authorization profile and push it down from ISE.  That way it will only apply to ports that could possibly have a docking station.

For session timeout/reauthentication, I think 8 is fine or even 12 hours.  That will ensure that a machine that stays online will be authenticated at least once every 24 hours so it will always show up in the Live Logs and reports.