cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2283
Views
10
Helpful
6
Replies

WLC / ISE Session extension

niknik
Level 1
Level 1

I wonder if it is possible to extend session on WLC or ISE? On WLC, I know about Session Timeouts (300-86400s for 802.1X(EAP)), but I need to extend more than that. I need features like Sleeping Clients, but for L2 security.  I need my session to remain for more than one day. Is it possible on ISE, maybe?

Thanks in advance,

Nik

 

1 Accepted Solution

Accepted Solutions


Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed.

Just keep in mind that this is not possible and that is what you need to explain to your customer.  The simple solution for this is to use certificates (EAP-TLS) or look at computer authentication.  The idea that a users AD credentials would get exposed is an issue to wired and wireless and that should be addressed another way.  If using ISE and AD username/password, then you would need to define a policy on ISE to look if already authenticated.  This would not allow any users to access from another device which many might have more than one machine.

-Scott
*** Please rate helpful posts ***

View solution in original post

6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame
What is the reason you would want to extend this longer? The reason to have sleeping client really was for webauth with iOS devices and to prevent the webauth page to appear to users. With 802.1x and psk for example, what would be the purpose? When the idle timer expires from the device not responding to probes, the controller removes the device from its tables and the device would have to perform a normal authentication to be allowed on the network. Seems like you have devices that just stop working overnight or something?
-Scott
*** Please rate helpful posts ***

Hello Scott,

 

Thank you for fast reply. 

 

Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed. It was a bit confusing to me, so I wanted to check with community. 

 

Wow... that is typically the opposite. Security wants this lower so that devices that are compromised gets the cert revoked or device gets removed from the domain and the device no longer can get connected.
-Scott
*** Please rate helpful posts ***


Main reason is because client asked me to do that. They want to extend sessions so when user leaves office nobody can join network with his user/pass if they are somehow exposed.

Just keep in mind that this is not possible and that is what you need to explain to your customer.  The simple solution for this is to use certificates (EAP-TLS) or look at computer authentication.  The idea that a users AD credentials would get exposed is an issue to wired and wireless and that should be addressed another way.  If using ISE and AD username/password, then you would need to define a policy on ISE to look if already authenticated.  This would not allow any users to access from another device which many might have more than one machine.

-Scott
*** Please rate helpful posts ***

Thank you Scott. Your explanation is really great. I wanted to be sure that WLC is not place where this problem can be solved. 

There is no wlc setting to allow that behavior.
-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card