Solved: ACS Certificate Renewal

jofische · ‎05-25-2017

When changing CA and local certificates for users performing EAP authentication would wireless clients that have existing sessions be forced to re-authenticate or would their existing sessions continue to persist?

Thanks

kthiruve · ‎05-25-2017

Certificates is used for authentication and not a mechanism to re-authenticate or do a change of authorization. In BYOD use case it is different and I am assuming this is wireless dot1x.

If you change the client certificates and use EAP-TLS – client authentication then it depends on the re-authentication timers in WLC, from ISE if using Radius session timeout.

Also if you use session-resume, supplicant will resume the same session using cache. However if you don’t then it will do a full reauthentication.

Long story short it is a best practice to force reauthentication if you are concerned about expired certificate etc.

-Krishnan

View solution in original post

kthiruve · ‎05-25-2017

Certificates is used for authentication and not a mechanism to re-authenticate or do a change of authorization. In BYOD use case it is different and I am assuming this is wireless dot1x.

If you change the client certificates and use EAP-TLS – client authentication then it depends on the re-authentication timers in WLC, from ISE if using Radius session timeout.

Also if you use session-resume, supplicant will resume the same session using cache. However if you don’t then it will do a full reauthentication.

Long story short it is a best practice to force reauthentication if you are concerned about expired certificate etc.

-Krishnan