Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

How to change the machine-authentication timeout

This thread has been viewed 15 times

  • 1.  How to change the machine-authentication timeout

    Posted Jan 26, 2017 02:41 AM
    Hi

    I think machine-authentication only when devices powered up, so if the device get up from hibernates or sleep then machine authentication will not be triggered. So sometimes machine auth timeout in CPPM and these hipernated or sleeped devices dont mach machine-auth CPPM rule when they get up.

    So is there a way to increase the machine-auth devices timeout?


  • 2.  RE: How to change the machine-authentication timeout

    Posted Jan 26, 2017 03:58 AM

    Hi, 

     

    Here's where you change this value:

     

    machine.jpg

     

     



  • 3.  RE: How to change the machine-authentication timeout

    Posted Jan 26, 2017 05:48 AM

    Thanks, but...

    What is the recommended value for this timeout, as in our case if a device sleeped or hipernated for an undetermined period "which is more than the configured timeout" then it will not be assigned to the data VLAN because the service rules for machine authentciation will not be matched...

     

    So can I set it to never timeout, and is it recommended?

     

    Thanks



  • 4.  RE: How to change the machine-authentication timeout
    Best Answer

    Posted Jan 26, 2017 05:52 AM
    Hi,

    The recommended value is the default one. It's up to you if you wish to change it.

    I wouldn't recommend to hibernate or sleep windows machine for long periods of time, it'd recommend to shut them down if not being used. It saves money amongst other things.


  • 5.  RE: How to change the machine-authentication timeout
    Best Answer

    EMPLOYEE
    Posted Jan 26, 2017 07:51 AM
    mahmoud.yasin@ad-tech.com.jo wrote:

    Thanks, but...

    What is the recommended value for this timeout, as in our case if a device sleeped or hipernated for an undetermined period "which is more than the configured timeout" then it will not be assigned to the data VLAN because the service rules for machine authentciation will not be matched...

     

    So can I set it to never timeout, and is it recommended?

     

    Thanks

    The default time is typically sufficient.  If a machine has successfully machine authenticated, every time the user authenticates after that, the machine cache is reset.  Let me repeat:  When a machine authenticates successfully, a countdown timer is started.  When a user authenticates after a machine has authenticated successfully, the machine authenticated timeout is reset.  So, the timer does not have to reflect how often the computer is rebooted, since every time a user authenticates successfully AFTER a machine successfully authenticates, the machine cache is reset.  

     

    You can think of the timer as "If a user does not touch the laptop for X minutes", they will have to reboot it so that it can successfully machine authenticate.  There are some users who use their laptops frequently and it is not a problem.  There are some users who leave their laptops for days and it also won't be a problem.  



  • 6.  RE: How to change the machine-authentication timeout

    Posted Jan 26, 2017 07:55 AM

    Thanks Colin

    Very Clear now



  • 7.  RE: How to change the machine-authentication timeout

    Posted Mar 13, 2023 01:03 AM

    Hi Colin and All,

    If for example we have 2 or more nodes in the same zone in a cluster, and we have different value of this machine authc cache timeout, which value is going to apply ?

    Is it the Publisher, because I am not convinced.

    Thanks in advance. 


    Original Message