In most deployments, 802.1x authentication takes place first before falling back to MAB after a few authentication attempts. There are of course some security reasons to have a shorter timeout, like kicking out endpoints whose certificates are revoked/expired during an active session and getting them off the network faster by having reauthentication take place and kick them out.ĭepending on the size of your environment, setting the Reauthentication Timeout period to a very low number will cause an unnecessary load on your ISE servers. Unless your company’s security policy states otherwise (like you are required to have reauthentication take place every X hours), set the Reauthentication Timeout to the maximum value of 65535 seconds (which is just over 18 hours). authentication periodic authentication timer reauthenticate server Using ISE to set this timeout is the preferred way for the sake of consistency, so make sure to always do this when possible.įor your switch to allow ISE to set this timeout value, the two commands below must be configured on the switch port. The Reauthentication Timeout timer can be assigned either directly on the switch port manually or sent from ISE when authentication occurs. If you do not use reauthentication, you would have to trigger a manual reauthentication either by messing with the port (shutdown/no shutdown), reseating the network cable, or sending a RADIUS Reauth manually from ISE. For example, the process of reauthentication will trigger a refresh of downloadable Access Control Lists (“dACL”) to be applied to the port going through reauthentication. Performing reauthentication is a great way to confirm that a previously connected (authenticated) device is still active and it is a great way to automatically re-enforce changes in Authorization Policies as access sessions go through the process. You should always be using Reauthentication! However, the different problems related to reauthentication mentioned in this guide are no longer as bad as they seem, and there are ways to fix them. The only reason this tip is here is that Cisco has some older documentation (see Wired 802.1X Deployment Guide) from over 10 years ago that has a bad take on reauthentication (in my opinion) and recommends that it should not be used. Updates the power budget.This tip might seem a bit odd at first since most people would probably consider reauthentication a good thing. Switch turns off power to the port, generates a syslog message, and Switch processes the requests and either grants or denies powerīased on the current power budget. So that the system power budget can be adjusted accordingly. TLV determines the actual power requirement of the endpoint device LLDP is enabled and power is applied to a port, the power Priority, and end-point and network connectivity-device power LLDP-MED also supports an extended power TLV toĪdvertise fine-grained power requirements, end-point power Powered, power priority, and how much power the device needs. Phones to convey power information, such as how the device is These profile attributes are then maintainedĬentrally on the switch and propagated to the phone.Įnables advanced power management between LLDP-MEDĮndpoint and network connectivity devices. Of service (CoS), differentiated services code point (DSCP), and Voice and voice-signaling by specifying the values for VLAN, class The phone canĬonnect to any switch, obtain its VLAN number, and then startĭefining a network-policy profile TLV, you can create a profile for Notify a phone of the VLAN number that it should use. LLDP-MED endpoints to determine the capabilities that the connectedīoth network connectivity devices and endpoints to advertise VLANĬonfigurations and associated Layer 2 and Layer 3 attributes for
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |