Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

recommended reauthentication timers?

In a secure wireless environment (WPA2/AES) with centralised RADIUS authentication using PEAP are there any recommended reauthentication timers? I have tested this with MS IAS and currently have a 30-minute Session-Timeout. I was just wondering if there are any best practise reauthentication timers that are recommended?

Cheers

Andy

7 REPLIES
Hall of Fame Super Silver

Re: recommended reauthentication timers?

Andrew,

I think it depends on your client and the applications that are being used. I have set the timer to 4 hours when the application is sensitive, to prevent loss of data or users having to log back into an application. Here is a link and part of a doc I found:

5.2.2.3. Use RADIUS Session Timeouts to Rotate WEP Keys

Cisco LEAP and EAP Transport Layer Security (TLS) support session expiration and 802.1X reauthentication by using the RADIUS session timeout option (RADIUS Internet Engineering Task Force option 27). To avoid IV reuse (IV collisions), rotate the base WEP key before the IV space is exhausted.

For example, the worst-case scenario for a reauthentication time would be stations in a service set running at maximum packet rate (in 802.11 stations, this is 1000 frames per second).

•2^24 frames (16,777,216) / 1000 frames per second ~= 16,777 seconds or 4 hours 40 minutes.

Normal frame rates will vary by implementation, but this example serves as a guideline for determining the session timeout value.

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm#wp39658

-Scott
*** Please rate helpful posts ***

Re: recommended reauthentication timers?

With a 30-minute Session-Timeout I can see the EAP re-authentication in the IAS server logs quite uniform and it takes all of a couple of packets (i.e. it's very quick). I can't see any adverse affects on the clients - i.e. applications don't time out; even a telnet session to the AP the client is authenticated to. I appreciate real-time applications (i.e. voice) would suffer from a 'blip' as the re-authentication occurred. I am just after a best-practise value I can recommend to customers. 4-hours seems a bit long to me, but I am happy to quote that if it's documented and the reasoning explained.

The link you posted refers to WEP & WEP session key rotation. We would never recommend WEP on a secure wireless deployment due to it's obvious flaws. We would recommend a minimum authentication type of WPA, with WPA2 preferred. Therefore is the link valid for WPA/WPA2 deployments?

Andy

Hall of Fame Super Silver

Re: recommended reauthentication timers?

I found this for IAS recommended settings from this site:

http://windowsitpro.com/article/articleid/50105/reaping-the-benefits-of-wpa-and-peap.html

The Session-Timeout value ensures that a client can't remain connected for long periods after its account has been disabled. Clients will be forced to authenticate again after they've been connected for the specified number of minutes. For WPA orWPA2 environments, Microsoft suggests 600 minutes as a suitable value.

Here is a post from the forum that states no need to rekey:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.1ddbffdd/1#selected_message

-Scott
*** Please rate helpful posts ***

Re: recommended reauthentication timers?

Excellent find fella, thanks for that.

Hall of Fame Super Silver

Re: recommended reauthentication timers?

No problem.... let us know what you end up setting it to and if that setting worked fine or not. Just curious, since alot of times, that value is left at default.

-Scott
*** Please rate helpful posts ***
New Member

Re: recommended reauthentication timers?

Today I had a user complain because they were seeing the "Connected" bubble pop up in the lower right corner every 30 minutes, and assumed something was wrong.

I determined this was due to the default session timeout of 1800 seconds (30 min).

I too am going to bump that up to 4 hours. It should alleviate the "Connected" bubble popping up every 30 minutes at least.

Re: recommended reauthentication timers?

You guys will also see improvement in client devices that require connection persistance such as Citrix clients and Windows Terminal Services clients because the reauth often sends a blip that breaks the connection on sensitive applications if you increase the timer.

3123
Views
0
Helpful
7
Replies