Security

We setup wired authentication on Cisco switches based on recommended config from Aruba Solutions Engine. We are doing machine auth only for 802.1X and MAC auth. Is there any reason to actually have a reauthentication interval configured? If the port status changes, a new authentication will take place and it doesn't matter if someone logs out and logs into the PCs. Not sure we are getting any value in it, thoughts?

I don’t believe the ASE stuff is up to date. I would not recommend using it for CPPM stuff.

I always recommend a reauth interval of 24 hours. It’s good to re-challenge a device for credentials. It’s also much easier to troubleshoot a session when there is a record every 24 hours.

Thanks Tim, our 2960X switches only support up to 65535 seconds or roughly 18 hours maximum. I've also found in Cisco's Wired Authentication Guide that they recommend not setting reauthentication on MAB as it could interrupt connectivity and does not actually validate the MAC address of the device, just the MAC learned on the port initially. With all of that information, I think we're going to just disable the reauthentication interval all together. Wired Authentication is new for us, so we've been able to track devices without the CPPM logs, so I think we'll be OK from that perspective and the troubleshooting is only useful for authentications, which won't be taking place unless the port status changes. 

 

Thanks for your help.