Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ISE: Reauthentication timer

Hi,

I am doing authentication of endpoint devices. The default reauthentication timer on switchports are 3600 seconds. Why is reauthentication needed? Isn't it enough that a device is authenticated when it connects only?

When the reauthentication timer is set to server (authentication timer reauthenticate server), I guess that the server is ISE. Where in ISE do I configure the timer?

Regards,

Philip

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ISE: Reauthentication timer

Philip,

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

On ISE you can send auth timers from authorization policy

1 REPLY
Cisco Employee

ISE: Reauthentication timer

Philip,

I'll provide you one of many use-cases of reauthentication, imagine that you authenticate with certificates.

If the certificate became invalid (expired/device stolen) you cannot kick a user off the network if it authnenticated prior to you noticing.

So in essence if the device was stolen but you have not noticed it before it was plugged in, without reauthentication, it potentially could be allowed on the network for quite some time.

That being said we recommend not using re-authentication for performance reasons or setting the timer to at least 2 hours.

On ISE you can send auth timers from authorization policy

3577
Views
0
Helpful
1
Replies