recommended reauthentication timers?

Unanswered Question
Aug 15th, 2008

In a secure wireless environment (WPA2/AES) with centralised RADIUS authentication using PEAP are there any recommended reauthentication timers? I have tested this with MS IAS and currently have a 30-minute Session-Timeout. I was just wondering if there are any best practise reauthentication timers that are recommended?

Cheers

Andy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Fri, 08/15/2008 - 18:51

Andrew,

I think it depends on your client and the applications that are being used. I have set the timer to 4 hours when the application is sensitive, to prevent loss of data or users having to log back into an application. Here is a link and part of a doc I found:

5.2.2.3. Use RADIUS Session Timeouts to Rotate WEP Keys

Cisco LEAP and EAP Transport Layer Security (TLS) support session expiration and 802.1X reauthentication by using the RADIUS session timeout option (RADIUS Internet Engineering Task Force option 27). To avoid IV reuse (IV collisions), rotate the base WEP key before the IV space is exhausted.

For example, the worst-case scenario for a reauthentication time would be stations in a service set running at maximum packet rate (in 802.11 stations, this is 1000 frames per second).

•2^24 frames (16,777,216) / 1000 frames per second ~= 16,777 seconds or 4 hours 40 minutes.

Normal frame rates will vary by implementation, but this example serves as a guideline for determining the session timeout value.

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm#wp39658

andrew.butterworth Sat, 08/16/2008 - 02:33

With a 30-minute Session-Timeout I can see the EAP re-authentication in the IAS server logs quite uniform and it takes all of a couple of packets (i.e. it's very quick). I can't see any adverse affects on the clients - i.e. applications don't time out; even a telnet session to the AP the client is authenticated to. I appreciate real-time applications (i.e. voice) would suffer from a 'blip' as the re-authentication occurred. I am just after a best-practise value I can recommend to customers. 4-hours seems a bit long to me, but I am happy to quote that if it's documented and the reasoning explained.

The link you posted refers to WEP & WEP session key rotation. We would never recommend WEP on a secure wireless deployment due to it's obvious flaws. We would recommend a minimum authentication type of WPA, with WPA2 preferred. Therefore is the link valid for WPA/WPA2 deployments?

Andy

Scott Fella Sat, 08/16/2008 - 04:48

I found this for IAS recommended settings from this site:

http://windowsitpro.com/article/articleid/50105/reaping-the-benefits-of-wpa-and-peap.html

The Session-Timeout value ensures that a client can't remain connected for long periods after its account has been disabled. Clients will be forced to authenticate again after they've been connected for the specified number of minutes. For WPA orWPA2 environments, Microsoft suggests 600 minutes as a suitable value.

Here is a post from the forum that states no need to rekey:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.1ddbffdd/1#selected_message

Scott Fella Sat, 08/16/2008 - 05:48

No problem.... let us know what you end up setting it to and if that setting worked fine or not. Just curious, since alot of times, that value is left at default.

Today I had a user complain because they were seeing the "Connected" bubble pop up in the lower right corner every 30 minutes, and assumed something was wrong.

I determined this was due to the default session timeout of 1800 seconds (30 min).

I too am going to bump that up to 4 hours. It should alleviate the "Connected" bubble popping up every 30 minutes at least.

dennischolmes Sun, 10/26/2008 - 16:35

You guys will also see improvement in client devices that require connection persistance such as Citrix clients and Windows Terminal Services clients because the reauth often sends a blip that breaks the connection on sensitive applications if you increase the timer.

Actions

This Discussion

 

 

Trending Topics - Security & Network