Question about authentication dot1x and mac on SecureStack - Re-Authentication

  • 0
  • 1
  • Question
  • Updated 4 years ago
What are the best practices to configure authentication 802.1x, mac authentication, etc on clients running Windows 7? 

My main question is: Are you applying re-authentication in the ports of SecureStack and why? if yes, what were the times did you used for this?

Do you recommend to apply re auth?
Did you applying re-auth using Policy Manager or by NAC Manager?

The image 1 show re auth by NAC Manager - Default
 
The image 2 show re auth by Policy Manager - Default


Thanks in advance,


Edson Moura
Photo of Edson Moura

Edson Moura

  • 472 Points 250 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,710 Points 2k badge 2x thumb
Hi Edson,

In general we recommend some sort of re-auth in your network to keep the active end systems fresh in NAC. People have used different values depending on their own situations though. Some customers reauth every 4 hours and some reauth every 12 hours or so. Generally once a day reauthentication is a good idea to keep your data fresh.

In regards to where to set it, it should be done through policy manager. The screen you showed in NAC Manager is actually to set the default values when configuring from the port wizard. Using the port wizard in NAC is not generally used on a normal basis. It's there to ease implementation of a fresh NAC installation. We would recommend using Policy Manager for these types of configurations.

Thanks,

-Tyler
Photo of Edson Moura

Edson Moura

  • 472 Points 250 badge 2x thumb
Hi Tyler,

If I configure re-auth by Port Wizards by Policy Manager, what time will be used for re-auth? Done by Policy Manager or NAC Manager or both?

Or I've to disable re-auth in NAC Manager and only use Policy Manager for this?


Thanks,

Edson Moura
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,710 Points 2k badge 2x thumb
Hi Edson,

Use the port wizard in Policy Manager to set it. I'm not sure what the defaults are, but it's in the seconds interval. So for instance if you wanted to do 10 hours like John mentioned he does, then you would set it to 36000.

Does that answer your question?

-Tyler
Photo of Edson Moura

Edson Moura

  • 472 Points 250 badge 2x thumb
OK, Tyler.

Thanks a lot.

Edson Moura
Photo of John Kaftan

John Kaftan

  • 810 Points 500 badge 2x thumb
I do reauth.  I just add a 0 to the 3600 to make it 36000 or 10 hours.  The main reason is so that your data in NAC is up to date.  If you do not do this, and a machine or device, e.g. an AP, stays connected forever "Last Seen" in NAC will not increment.  So when you look at that you will not know if the device has really not been on our network or if it just hasn't authenticated.  I will often sort by "Last Seen" so I can focus on only end systems that are relevant.  Having re-auth set keeps things current.

As for 802.1x campus wide, we are bailing on this on the wired side.  We have found that there are too many things that can take us down on a higher-ed campus.  We push 802.1x settings via AD and we require server validation.  Between the various multiplatform suplicants, certificates, and machines having to be in the proper AD OUs and actually get all of the settings pushed, it is too complicated for our limited staff.  I have been working on this for months and have opened multiple GTAC tickets and just cannot get it stable in our environment.  My advice is to only implement this if you have a mostly homogeneous OS at the edge and have 2 people fully trained up on NAC and 802.1x and RADIUS.

We are doing it for wireless though.  

John
Photo of Edson Moura

Edson Moura

  • 472 Points 250 badge 2x thumb
Hi John,

I'll try to adjust this time and I''ll see what happens.

Thanks for expose your expertise. 

Regards,


Edson