In a secure wireless environment (WPA2/AES) with centralised RADIUS authentication using PEAP are there any recommended reauthentication timers? I have tested this with MS IAS and currently have a 30-minute Session-Timeout. I was just wondering if there are any best practise reauthentication timers that are recommended?
I think it depends on your client and the applications that are being used. I have set the timer to 4 hours when the application is sensitive, to prevent loss of data or users having to log back into an application. Here is a link and part of a doc I found:
22.214.171.124. Use RADIUS Session Timeouts to Rotate WEP Keys
Cisco LEAP and EAP Transport Layer Security (TLS) support session expiration and 802.1X reauthentication by using the RADIUS session timeout option (RADIUS Internet Engineering Task Force option 27). To avoid IV reuse (IV collisions), rotate the base WEP key before the IV space is exhausted.
For example, the worst-case scenario for a reauthentication time would be stations in a service set running at maximum packet rate (in 802.11 stations, this is 1000 frames per second).
â¢2^24 frames (16,777,216) / 1000 frames per second ~= 16,777 seconds or 4 hours 40 minutes.
Normal frame rates will vary by implementation, but this example serves as a guideline for determining the session timeout value.
With a 30-minute Session-Timeout I can see the EAP re-authentication in the IAS server logs quite uniform and it takes all of a couple of packets (i.e. it's very quick). I can't see any adverse affects on the clients - i.e. applications don't time out; even a telnet session to the AP the client is authenticated to. I appreciate real-time applications (i.e. voice) would suffer from a 'blip' as the re-authentication occurred. I am just after a best-practise value I can recommend to customers. 4-hours seems a bit long to me, but I am happy to quote that if it's documented and the reasoning explained.
The link you posted refers to WEP & WEP session key rotation. We would never recommend WEP on a secure wireless deployment due to it's obvious flaws. We would recommend a minimum authentication type of WPA, with WPA2 preferred. Therefore is the link valid for WPA/WPA2 deployments?
The Session-Timeout value ensures that a client can't remain connected for long periods after its account has been disabled. Clients will be forced to authenticate again after they've been connected for the specified number of minutes. For WPA orWPA2 environments, Microsoft suggests 600 minutes as a suitable value.
Here is a post from the forum that states no need to rekey:
You guys will also see improvement in client devices that require connection persistance such as Citrix clients and Windows Terminal Services clients because the reauth often sends a blip that breaks the connection on sensitive applications if you increase the timer.