Solved: Re: WLC / ISE Session extension

niknik · ‎08-17-2020

I wonder if it is possible to extend session on WLC or ISE? On WLC, I know about Session Timeouts (300-86400s for 802.1X(EAP)), but I need to extend more than that. I need features like Sleeping Clients, but for L2 security. I need my session to remain for more than one day. Is it possible on ISE, maybe?

Thanks in advance,

Nik

Scott Fella · ‎08-17-2020

Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed.

Just keep in mind that this is not possible and that is what you need to explain to your customer. The simple solution for this is to use certificates (EAP-TLS) or look at computer authentication. The idea that a users AD credentials would get exposed is an issue to wired and wireless and that should be addressed another way. If using ISE and AD username/password, then you would need to define a policy on ISE to look if already authenticated. This would not allow any users to access from another device which many might have more than one machine.

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎08-17-2020

What is the reason you would want to extend this longer? The reason to have sleeping client really was for webauth with iOS devices and to prevent the webauth page to appear to users. With 802.1x and psk for example, what would be the purpose? When the idle timer expires from the device not responding to probes, the controller removes the device from its tables and the device would have to perform a normal authentication to be allowed on the network. Seems like you have devices that just stop working overnight or something?

-Scott
*** Please rate helpful posts ***

niknik · ‎08-17-2020

Hello Scott,

Thank you for fast reply.

Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed. It was a bit confusing to me, so I wanted to check with community.

Scott Fella · ‎08-17-2020

Wow... that is typically the opposite. Security wants this lower so that devices that are compromised gets the cert revoked or device gets removed from the domain and the device no longer can get connected.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎08-17-2020

Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed.

Just keep in mind that this is not possible and that is what you need to explain to your customer. The simple solution for this is to use certificates (EAP-TLS) or look at computer authentication. The idea that a users AD credentials would get exposed is an issue to wired and wireless and that should be addressed another way. If using ISE and AD username/password, then you would need to define a policy on ISE to look if already authenticated. This would not allow any users to access from another device which many might have more than one machine.

-Scott
*** Please rate helpful posts ***

niknik · ‎08-17-2020

Thank you Scott. Your explanation is really great. I wanted to be sure that WLC is not place where this problem can be solved.

Scott Fella · ‎08-17-2020

There is no wlc setting to allow that behavior.

-Scott
*** Please rate helpful posts ***