Disable session timeout consequences?

MUQ_1899_ · ‎02-26-2016

By default the session timeout for the SSIDs is enabled with 1800 sec timeout? Why should I make the clients to re authenticate since they already authenticated successfully especially if the authentication is via certificates?

This reauthentication introduce some disruption of the connection right? And some sensitive applications can suffer?

George Stefanick · ‎02-26-2016

Hello

This feature has a main function and that's to rekey the pmk keys. Yes this is disruptive. A deauthentication is sent to the client every 30 mins.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Freerk Terpstra · ‎02-28-2016

Which value you should configure as session timeout really depends on the balance between security, RADIUS server and controller performance and also user friendliness within your company. For example the 5508 controller can "only" handle up to 7000 sessions (connected devices) which in some environments can be easy reached with a high session timeout. From security perspective it can be undesirable that a user can still use the wireless infrastructure for the whole day while the user account already has been disabled.

The session timeout can be configured in a range from "0" - "86400" seconds. The "0" means disable the session timeout but this only works for networks without any WPA configuration. If you configure "0" in conjunction with any WPA configuration "86400" will be used instead.

There is also a user idle timeout value which acts as a "cleaning" feature within the session timeout. So if you have a session timeout of 8 hours and a user idle timeout of 2 hours the session will still be removed after 2 hours of inactivity. Also endpoints can "decide" to do a full re-authenticate by every roam basically making all of these timers somewhat less useful :-)

Please rate useful posts... :-)