Security

Reply
Highlighted
MVP Expert

Is reauthentication interval required for wired auth?

We setup wired authentication on Cisco switches based on recommended config from Aruba Solutions Engine. We are doing machine auth only for 802.1X and MAC auth. Is there any reason to actually have a reauthentication interval configured? If the port status changes, a new authentication will take place and it doesn't matter if someone logs out and logs into the PCs. Not sure we are getting any value in it, thoughts?



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Guru Elite

Re: Is reauthentication interval required for wired auth?

I don’t believe the ASE stuff is up to date. I would not recommend using it for CPPM stuff.

I always recommend a reauth interval of 24 hours. It’s good to re-challenge a device for credentials. It’s also much easier to troubleshoot a session when there is a record every 24 hours.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Is reauthentication interval required for wired auth?

Thanks Tim, our 2960X switches only support up to 65535 seconds or roughly 18 hours maximum. I've also found in Cisco's Wired Authentication Guide that they recommend not setting reauthentication on MAB as it could interrupt connectivity and does not actually validate the MAC address of the device, just the MAC learned on the port initially. With all of that information, I think we're going to just disable the reauthentication interval all together. Wired Authentication is new for us, so we've been able to track devices without the CPPM logs, so I think we'll be OK from that perspective and the troubleshooting is only useful for authentications, which won't be taking place unless the port status changes. 

 

Thanks for your help. 



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: