Security

last person joined: 20 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

How to change the machine-authentication timeout

This thread has been viewed 5 times
  • 1.  How to change the machine-authentication timeout

    Posted Jan 26, 2017 02:41 AM
    Hi

    I think machine-authentication only when devices powered up, so if the device get up from hibernates or sleep then machine authentication will not be triggered. So sometimes machine auth timeout in CPPM and these hipernated or sleeped devices dont mach machine-auth CPPM rule when they get up.

    So is there a way to increase the machine-auth devices timeout?


  • 2.  RE: How to change the machine-authentication timeout

    Posted Jan 26, 2017 03:58 AM

    Hi, 

     

    Here's where you change this value:

     

    machine.jpg

     

     



  • 3.  RE: How to change the machine-authentication timeout

    Posted Jan 26, 2017 05:48 AM

    Thanks, but...

    What is the recommended value for this timeout, as in our case if a device sleeped or hipernated for an undetermined period "which is more than the configured timeout" then it will not be assigned to the data VLAN because the service rules for machine authentciation will not be matched...

     

    So can I set it to never timeout, and is it recommended?

     

    Thanks



  • 4.  RE: How to change the machine-authentication timeout
    Best Answer

    Posted Jan 26, 2017 05:52 AM
    Hi,

    The recommended value is the default one. It's up to you if you wish to change it.

    I wouldn't recommend to hibernate or sleep windows machine for long periods of time, it'd recommend to shut them down if not being used. It saves money amongst other things.


  • 5.  RE: How to change the machine-authentication timeout
    Best Answer

    EMPLOYEE
    Posted Jan 26, 2017 07:51 AM

    mahmoud.yasin@ad-tech.com.jo wrote:

    Thanks, but...

    What is the recommended value for this timeout, as in our case if a device sleeped or hipernated for an undetermined period "which is more than the configured timeout" then it will not be assigned to the data VLAN because the service rules for machine authentciation will not be matched...

     

    So can I set it to never timeout, and is it recommended?

     

    Thanks


    The default time is typically sufficient.  If a machine has successfully machine authenticated, every time the user authenticates after that, the machine cache is reset.  Let me repeat:  When a machine authenticates successfully, a countdown timer is started.  When a user authenticates after a machine has authenticated successfully, the machine authenticated timeout is reset.  So, the timer does not have to reflect how often the computer is rebooted, since every time a user authenticates successfully AFTER a machine successfully authenticates, the machine cache is reset.  

     

    You can think of the timer as "If a user does not touch the laptop for X minutes", they will have to reboot it so that it can successfully machine authenticate.  There are some users who use their laptops frequently and it is not a problem.  There are some users who leave their laptops for days and it also won't be a problem.  



  • 6.  RE: How to change the machine-authentication timeout

    Posted Jan 26, 2017 07:55 AM

    Thanks Colin

    Very Clear now