cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2641
Views
5
Helpful
7
Replies

Reauthenticate 300 devices

Alex Pfeil
Level 7
Level 7

I need to force re-authentication of approximately 300 devices. Is there an easy way to force specific devices to reauthenticate using ISE.  Is there an ISE CLI command, etc.?

I was manually going to lookup the device in ISE to see which switch and port the device is located on.  Then I was going to sign onto the switch and manually re-authenticate the device.

I cannot use authentication live authentications and CoA because the devices have not authenticated in the last 24 hours.

Thanks for any help with this question.

Thanks,

Alex

7 Replies 7

jan.nielsen
Level 7
Level 7

If you know the specific devices, either by the way theu authenticate, or by an authz rule, you can have the switch/wlc do the re-auth by adjusting the timers in your ISE authz result. This way you can specify re-authentication dynamically from ISE

If I adjust the authorization reauthentication timer, it will cause all the devices to reauthenticate?

In results in ISE?

Yes what Jan suggested will do the trick (+5 from me). And yes, he is referring to the re-auth timer located in the "authorization profile" in ISE. Any endpoints that get that "authorization profile" will then inherit the re-auth timer as well. Thus, if you want different devices to have different re-auth timer then you can create multiple authorization rules and multiple authorization profiles. 

 

Thank you for rating helpful posts!

One last question:

If the devices currently do not have a reauth timer set, will setting the reauth timer to 3600 seconds cause all of those devices using that authorization profile to reauthenticate right away, and then they will start authenticating every 3600 seconds after that.  Or, will they acquire those settings over time and then start to periodicaly authenticate after acquiring those settings?

Thanks,

Alex

Even more specifically, the devices are already setup on the network and using ISE, but have never been required to reauthenticate.  So I need a way to force them to reauthenticate easily.

Thanks,

Alex

The re-auth timer is going to be applied via the "authorization profile" as a Radius attribute. Thus, I believe any existing sessions will not get the attribute until they are manually re-authenticated (via a port bounce or authentication session reset). Thus, I believe you need to do the following:

1. Create the authorization profile with the appropriate re-auth timer

2. Apply the authorization profile to the appropriate authorization rule

3. Add the following command on your switchports: 

authentication timer reauthenticate server

4. Manually reset the existing sessions via one of the following:

1. shut / no shut the ports

2. Issue "clear authentication session interface interface_name_number"

 

Thank you for rating helpful posts! 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: