Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9842
Views
1
Helpful
3
Replies

What is the best practice for Cisco ISE idle timeout and session timeout

Go to solution
Freemen
Level 1
Level 1

‎11-18-2019 05:19 PM

Hi Everyone, for a new deployment, what is the ideal idle timeout and session timeout for Cisco ISE with posture deployment.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to Freemen

‎11-19-2019 07:23 AM

Personally, I prefer to have a consistent switchport config across all ports and switches.  Because over time, docking stations can move, some people may change the port to match another port during troubleshooting, etc.  It is too hard to keep track of which ports have docking stations and then to ensure that the configurations aren't changed over time.  So for the idle-timeout, I would recommend configuring the port to use the server setting from ISE.  In ISE, apply it within your PC/workstation authorization profile and push it down from ISE.  That way it will only apply to ports that could possibly have a docking station.

For session timeout/reauthentication, I think 8 is fine or even 12 hours.  That will ensure that a machine that stays online will be authenticated at least once every 24 hours so it will always show up in the Live Logs and reports.

View solution in original post

3 Replies 3

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎11-18-2019 06:54 PM

Neither is recommended for every deployment.  Periodic reauthentication and/or idle timeout are not necessary in most environments where devices are directly connected to the switchports and not behind some hub, docking station, or transceiver that keeps the link state up on the switch.  So the answer is to use it only when you have to because of the environmental situation.  Some compliance programs like within the DoD require reauthentication every 60 minutes and I can imagine that other programs reuse the DoD requirements.  So it really comes down to your environment and how tight security wants to be.  Its a tradeoff.  You make it tougher for the attacker at the detriment of ISE scalability, because of the additional authentication traffic hitting ISE.

0 Helpful

Go to solution
Freemen
Level 1
Level 1
In response to Colby LeMaire

‎11-18-2019 09:03 PM

my enviroment some laptop is behind the docking station, can I say I better only apply idle timeout on the port level at those docking station, and other remove the idle timeout from ISE.

 

session timeout, maybe every 8 hour seam ok.

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to Freemen

‎11-19-2019 07:23 AM

Personally, I prefer to have a consistent switchport config across all ports and switches.  Because over time, docking stations can move, some people may change the port to match another port during troubleshooting, etc.  It is too hard to keep track of which ports have docking stations and then to ensure that the configurations aren't changed over time.  So for the idle-timeout, I would recommend configuring the port to use the server setting from ISE.  In ISE, apply it within your PC/workstation authorization profile and push it down from ISE.  That way it will only apply to ports that could possibly have a docking station.

For session timeout/reauthentication, I think 8 is fine or even 12 hours.  That will ensure that a machine that stays online will be authenticated at least once every 24 hours so it will always show up in the Live Logs and reports.

Top