Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
21312
Views
5
Helpful
3
Replies

Cisco ISE: 802.1x Timers Best Practices / Re-authentication Timers [EAP-TLS]

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1

‎09-02-2013 05:40 AM - edited ‎03-10-2019 08:50 PM

Dear Folks,

Kindly, suggest the best recommended values for the timers in 802.1x (EAP-TLS)... Should i keep default all or change or some of them?

Also, what do we need reauthentication timers? Any benefit to use it? Does it prompt to users or became invisible? and What are the best values, in case if we need to use it?

Thanks,

Regards,

Mubasher

My Interface Configuration is as below;

---

interface GigabitEthernet1/34

switchport access vlan 131

switchport mode access

switchport voice vlan 195

ip access-group ACL-DEFAULT in

authentication event fail action authorize vlan 131

authentication event server dead action authorize vlan 131

authentication event server alive action reinitialize

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

mab

snmp trap mac-notification change added

dot1x pae authenticator

dot1x timeout tx-period 5

storm-control broadcast level 30.00

spanning-tree portfast

spanning-tree bpduguard enable

!

----

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Anas Naqvi
Level 1
Level 1

‎09-02-2013 11:31 AM

Hello Mubashir,

Many timers can be modified as needed in a deployment. Unless you are experiencing a specific problem where adjusting the timer may correct unwanted behavior, it is recommended to leave all timers at their default values except for the 802.1X transmit timer (tx-period).

The tx-period timer defaults to a value of 30 seconds. Leaving this value at 30 seconds provides a default wait of 90 seconds (3 x tx-period) before a switchport will begin the next method of authentication, and begin the MAB process for non-authenticating devices.

Based on numerous deployments, the best-practice recommendation is to set the tx-period value to 10 seconds to provide the optimal time for MAB devices. Setting the value below 10 seconds may result in the port moving to MAC authentication bypass too quickly.

Configure the tx-period timer.

C3750X(config-if-range)#dot1x timeout tx-period 10

0 Helpful

Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)
Level 1
Level 1
In response to Anas Naqvi

‎09-04-2013 04:01 AM

Dear Sir,

I already configured it as "dot1x timeout tx-period 5".

I have the situation that e.g., our users put the PC on sleep (or hibernate) on a regular basis... Sometimes, the dot1x gets stuck longer in POSTURE and sometime meets with the default policy, which is not acceptable.

Also, what does re-authentication timer do ? Can it help in this case?

Regards,

Mubasher Sultan

mohan.doss19
Level 1
Level 1
In response to Mubasher Sultan - 2x CCIE # 20149 (R&S | Sec)

‎06-03-2018 02:43 AM

Hi Team,

 

I am also facing the same issue , any suggestions pls

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents