Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
0
Helpful
2
Replies

ISE Reauthentication

Go to solution
Ufuk Gudulluoglu
Cisco Employee
Cisco Employee

‎12-14-2017 07:29 AM

Hello,

Is there a way to randomise the time for the reauthentication for ISE clients? When we select "Reauthentication" in the authorization profile it asks me an exact time in seconds to do the reauthentication. If possible, I would like to enter a range of time with min and max values, and ISE can select a random time from that range for each client.

My aim is to distribute the load on ISE to a wide range of time. Currently, in the morning all of the clients are logging in approximately in half an hour then after the reauthentication time same thing goes on again in half an hour. It would be great to widen this time to an hour or a couple of hours.

Regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-14-2017 08:08 AM

There is no feature and don't really see the need. 

From our SME hslai Human nature is a great random factor. ;-)

In case it’s robotic logins, setting this re-auth timers randomly in ISE authorization profiles can only help reauth.

Anyhow, reauth every 1/2 hour is too often. I believe our recommendation is every 3 or 4 days.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎12-14-2017 08:08 AM

There is no feature and don't really see the need. 

From our SME hslai Human nature is a great random factor. ;-)

In case it’s robotic logins, setting this re-auth timers randomly in ISE authorization profiles can only help reauth.

Anyhow, reauth every 1/2 hour is too often. I believe our recommendation is every 3 or 4 days.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10

‎12-14-2017 08:58 AM

Recommended reauth / session timeout value is 2 hours.  To Jason's point, you typically do not need to reauth very often.  Idle timeouts are typically used to detect cases where user no longer present, especially if clients not directly connecting to switchport.  If directly connected, then typically no reason to reauth until disconnect and reconnect, and this happens automatically.  You may want to compromise and set reauth to 1/day with RADIUS Accounting updates being sent every 2-3 days to keep session status updated in ISE.

Craig

0 Helpful
Customers Also Viewed These Support Documents