cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1266
Views
5
Helpful
7
Replies
Highlighted
Contributor

Reauthenticate 300 devices

I need to force re-authentication of approximately 300 devices. Is there an easy way to force specific devices to reauthenticate using ISE.  Is there an ISE CLI command, etc.?

I was manually going to lookup the device in ISE to see which switch and port the device is located on.  Then I was going to sign onto the switch and manually re-authenticate the device.

I cannot use authentication live authentications and CoA because the devices have not authenticated in the last 24 hours.

Thanks for any help with this question.

Thanks,

Alex

7 REPLIES 7
Rising star

If you know the specific

If you know the specific devices, either by the way theu authenticate, or by an authz rule, you can have the switch/wlc do the re-auth by adjusting the timers in your ISE authz result. This way you can specify re-authentication dynamically from ISE

Contributor

If I adjust the authorization

If I adjust the authorization reauthentication timer, it will cause all the devices to reauthenticate?

Contributor

In results in ISE?

In results in ISE?

Cisco Employee

Yes what Jan suggested will

Yes what Jan suggested will do the trick (+5 from me). And yes, he is referring to the re-auth timer located in the "authorization profile" in ISE. Any endpoints that get that "authorization profile" will then inherit the re-auth timer as well. Thus, if you want different devices to have different re-auth timer then you can create multiple authorization rules and multiple authorization profiles. 

 

Thank you for rating helpful posts!

Contributor

One last question:If the

One last question:

If the devices currently do not have a reauth timer set, will setting the reauth timer to 3600 seconds cause all of those devices using that authorization profile to reauthenticate right away, and then they will start authenticating every 3600 seconds after that.  Or, will they acquire those settings over time and then start to periodicaly authenticate after acquiring those settings?

Thanks,

Alex

Contributor

Even more specifically, the

Even more specifically, the devices are already setup on the network and using ISE, but have never been required to reauthenticate.  So I need a way to force them to reauthenticate easily.

Thanks,

Alex

Cisco Employee

The re-auth timer is going to

The re-auth timer is going to be applied via the "authorization profile" as a Radius attribute. Thus, I believe any existing sessions will not get the attribute until they are manually re-authenticated (via a port bounce or authentication session reset). Thus, I believe you need to do the following:

1. Create the authorization profile with the appropriate re-auth timer

2. Apply the authorization profile to the appropriate authorization rule

3. Add the following command on your switchports: 

authentication timer reauthenticate server

4. Manually reset the existing sessions via one of the following:

1. shut / no shut the ports

2. Issue "clear authentication session interface interface_name_number"

 

Thank you for rating helpful posts!