Security

last person joined: 7 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Is reauthentication interval required for wired auth?

Jump to Best Answer
  • 1.  Is reauthentication interval required for wired auth?

    Posted Jul 12, 2019 01:22 PM

    We setup wired authentication on Cisco switches based on recommended config from Aruba Solutions Engine. We are doing machine auth only for 802.1X and MAC auth. Is there any reason to actually have a reauthentication interval configured? If the port status changes, a new authentication will take place and it doesn't matter if someone logs out and logs into the PCs. Not sure we are getting any value in it, thoughts?



  • 2.  RE: Is reauthentication interval required for wired auth?
    Best Answer

    Posted Jul 12, 2019 01:41 PM
    I don’t believe the ASE stuff is up to date. I would not recommend using it for CPPM stuff.

    I always recommend a reauth interval of 24 hours. It’s good to re-challenge a device for credentials. It’s also much easier to troubleshoot a session when there is a record every 24 hours.


  • 3.  RE: Is reauthentication interval required for wired auth?

    Posted Jul 12, 2019 03:40 PM

    Thanks Tim, our 2960X switches only support up to 65535 seconds or roughly 18 hours maximum. I've also found in Cisco's Wired Authentication Guide that they recommend not setting reauthentication on MAB as it could interrupt connectivity and does not actually validate the MAC address of the device, just the MAC learned on the port initially. With all of that information, I think we're going to just disable the reauthentication interval all together. Wired Authentication is new for us, so we've been able to track devices without the CPPM logs, so I think we'll be OK from that perspective and the troubleshooting is only useful for authentications, which won't be taking place unless the port status changes. 

     

    Thanks for your help.