Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2037
Views
0
Helpful
5
Replies

Wired MAB Reauthentication / Retries

Go to solution
neteng1
Level 1
Level 1

‎01-10-2022 10:37 AM

I have successfully configured wired MAB with redirect to an ISE Self-Registered Guest Portal. Along with the redirect ACL, I also send a 15 second reauthentication time out. This way the user transitions to full network access quickly after registering a device.

However, I question if such a low timeout value will be problematic with potentially hundreds of devices at a time that get stuck in redirect state. Is there a best practice for reauthenticating MAB clients quickly and minimize re-auth traffic?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-10-2022 12:01 PM

@neteng1 if you are doing wired guest, the user will stay in the redirection state until they've registered/authenticated to the guest portal. No need for a 15sec reauthentication timer, once the user has successfully registered/authenticated in the guest portal a Change of Authorisation (CoA) would be initiated and the user would be re-authorised again, the user would be authorised against a different authorisation rule.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-10-2022 11:21 AM 

I question if such a low timeout value will be problematic with potentially hundreds of devices at a time that get stuck in redirect state.

This where we design the system based on the device, so ISE can handle all this stuff. ignore best pracitice and security practice may have different side effect on security and access point of view - this is my personal suggestion.

 

There is best practice posted by cisco :

 

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html

 

There is good presentation help you :

 

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3416.pdf

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-10-2022 12:01 PM

@neteng1 if you are doing wired guest, the user will stay in the redirection state until they've registered/authenticated to the guest portal. No need for a 15sec reauthentication timer, once the user has successfully registered/authenticated in the guest portal a Change of Authorisation (CoA) would be initiated and the user would be re-authorised again, the user would be authorised against a different authorisation rule.

0 Helpful

Go to solution
neteng1
Level 1
Level 1
In response to Rob Ingram

‎01-10-2022 12:11 PM

Thank you. I think I have problem with my CoA. I see the following error in live logs. I'll have to troubleshoot.

 

Event 5417 Dynamic Authorization failed
Failure Reason 11213 No response received from Network Access Device after sending a Dynamic Authorization request

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to neteng1

‎01-10-2022 12:16 PM

@neteng1 check your switch config and ensure the following is configured.

 

aaa server radius dynamic-author
 client <ise psn 1> server-key <shared secret>
 client <ise psn 2> server-key <shared secret>

 

0 Helpful

Go to solution
neteng1
Level 1
Level 1
In response to Rob Ingram

‎01-10-2022 01:20 PM

I did have that config entered. I found out my problem was an F5 rule, working as expected now. Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents