cancel
Showing results for 
Search instead for 
Did you mean: 

Question about authentication dot1x and mac on SecureStack - Re-Authentication

Question about authentication dot1x and mac on SecureStack - Re-Authentication

Edson_Moura
New Contributor
What are the best practices to configure authentication 802.1x, mac authentication, etc on clients running Windows 7?

My main question is: Are you applying re-authentication in the ports of SecureStack and why? if yes, what were the times did you used for this?

Do you recommend to apply re auth?
Did you applying re-auth using Policy Manager or by NAC Manager?

The image 1 show re auth by NAC Manager - Default

c0b421f55e794f6c962c9cdff9acc7f7_RackMultipart20140805-23242-qnao3a-ReAuth-NAC_inline.png



The image 2 show re auth by Policy Manager - Default

c0b421f55e794f6c962c9cdff9acc7f7_RackMultipart20140805-26980-1qnsau1-ReAuth_inline.png



Thanks in advance,

Edson Moura

6 REPLIES 6

Edson_Moura
New Contributor
Hi John,

I'll try to adjust this time and I''ll see what happens.

Thanks for expose your expertise.

Regards,

Edson

John_Kaftan
New Contributor III
I do reauth. I just add a 0 to the 3600 to make it 36000 or 10 hours. The main reason is so that your data in NAC is up to date. If you do not do this, and a machine or device, e.g. an AP, stays connected forever "Last Seen" in NAC will not increment. So when you look at that you will not know if the device has really not been on our network or if it just hasn't authenticated. I will often sort by "Last Seen" so I can focus on only end systems that are relevant. Having re-auth set keeps things current.

As for 802.1x campus wide, we are bailing on this on the wired side. We have found that there are too many things that can take us down on a higher-ed campus. We push 802.1x settings via AD and we require server validation. Between the various multiplatform suplicants, certificates, and machines having to be in the proper AD OUs and actually get all of the settings pushed, it is too complicated for our limited staff. I have been working on this for months and have opened multiple GTAC tickets and just cannot get it stable in our environment. My advice is to only implement this if you have a mostly homogeneous OS at the edge and have 2 people fully trained up on NAC and 802.1x and RADIUS.

We are doing it for wireless though.

John

Edson_Moura
New Contributor
OK, Tyler.

Thanks a lot.

Edson Moura

TylerMarcotte
Extreme Employee
Hi Edson,

Use the port wizard in Policy Manager to set it. I'm not sure what the defaults are, but it's in the seconds interval. So for instance if you wanted to do 10 hours like John mentioned he does, then you would set it to 36000.

Does that answer your question?

-Tyler
GTM-P2G8KFN