cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15147
Views
5
Helpful
8
Replies

ISE: Reauthentication timer

Hi,

I am doing authentication of endpoint devices. The default reauthentication timer on switchports are 3600 seconds. Why is reauthentication needed? Isn't it enough that a device is authenticated when it connects only?

When the reauthentication timer is set to server (authentication timer reauthenticate server), I guess that the server is ISE. Where in ISE do I configure the timer?

Regards,

Philip

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

ISE: Reauthentication timer

Philip,

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

On ISE you can send auth timers from authorization policy

Cisco Employee

Re: ISE: Reauthentication timer

Recommend looking at the best practice guide.
https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

Setting it on ISE allows you to globally control and change it across all your network
Cisco Employee

Re: ISE: Reauthentication timer

As Jason Kunst pointed out, that is not expected behavior if the value input without the comma; i.e. 65534.

Please check the RADIUS authentication detailed report and see whether ISE sending down the specified timer value. If ISE does not, it seems an issue in your ISE. If ISE does, then there might be an issue in your NAD to use the value; please verify the configuration, see whether the remaining session timeout value decrementing as expected in "show auth session <> detail", and enable RADIUS debug on the NAD.

8 REPLIES 8
Cisco Employee

ISE: Reauthentication timer

Philip,

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

On ISE you can send auth timers from authorization policy

Beginner

Re: ISE: Reauthentication timer

Which method is recommended? Doing reauthentication with switchport configuration or doing reauthentication with ise authorization policy?

Cisco Employee

Re: ISE: Reauthentication timer

Recommend looking at the best practice guide.
https://community.cisco.com/t5/security-documents/cisco-ise-wired-access-deployment-guide/ta-p/3641515

Setting it on ISE allows you to globally control and change it across all your network
Cisco Employee

Re: ISE: Reauthentication timer


@Marcin Latosiewicz wrote:

Philip,

 

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

 

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

 

On ISE you can send auth timers from authorization policy



@Marcin Latosiewicz wrote:

Philip,

 

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

 

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

 

On ISE you can send auth timers from authorization policy


Is really necessary to specify the Radius Idle Timeout value in addition to the reauth timer? Will the Radius Idle Timeout suffice?

Beginner

Re: ISE: Reauthentication timer

Hello,

I will add the same question to this string. Does anyone know if the "Common Tasks" > "Reauthentication Timer" set at 65,534 will also require the "Advanced Attributes Settings" > Radius: Idle-Timeout to also be set at 65,534 seconds for the timed reauth to function?

I have my Reauthentication Timer set at 65,534 and I am having no timed reauthentications take place.

Cisco Employee

Re: ISE: Reauthentication timer

Doesn’t sound right to me. Let me research this
Cisco Employee

Re: ISE: Reauthentication timer

As Jason Kunst pointed out, that is not expected behavior if the value input without the comma; i.e. 65534.

Please check the RADIUS authentication detailed report and see whether ISE sending down the specified timer value. If ISE does not, it seems an issue in your ISE. If ISE does, then there might be an issue in your NAD to use the value; please verify the configuration, see whether the remaining session timeout value decrementing as expected in "show auth session <> detail", and enable RADIUS debug on the NAD.

Highlighted
Beginner

Re: ISE: Reauthentication timer

Additional information. I am authenticating these devices (printers) via MAB. Will the RADIUS reauthentication timer function while using MAB?