Cisco NAC Appliance is a great method of threat containment by ensuring users' identity and posture, but at what point do you want to ensure that the user whom has once been compliant is still indeed compliant? This is the reason why timers are such an important aspect of any NACA Deployment. This entry will help you to understand the different options within NAC and ensure that you configure what is needed for your deployment.
- Certified Device Timer
- Automatically Clear Certified Device List at specific intervals (X number of days)
- May clear devices based on particular CAS, User Role, Auth Provider
- May clear X amount of users at a time
- May create multiple timers to meet your needs
- Session Timer
- An Absolute Timer that is specific to the user role (X number of minutes)
- Applies to both IB & OOB
- Triggers after a preset time to kick users off the online user list
- Heartbeat Timer
- Number of minutes after which a user is logged off the network if a device is non responsive (in-band only)
- CAS sends an ARP request for the client for the set time (L2)
- CAS looks for traffic sourced from the user (L3)
- If proxy arp is enabled then the Heartbeat timer does nothing (L3)
- 5 Minute minimum
Best Practices for the use of Timers:
ALWAYS configure Certified Device Timers to enforce posture assessment after X amount of time for any Layer 2 or Layer 3 Deployment.
Use Heartbeat Timers to automatically remove inactive users when using IB.
Use User Role Session Timers for timeout of the Quarantine/Temporary User Roles and if you have a per role maximum connect time that is less than 1 day.
No matter where you are deploying NAC the discussion of how often you need to re-authenticate/posture assess a user should come up. Hopefully, you will understand the need and plan appropriately for you deployment.
For more information on how to configure these timers, please read the CAM Admin Guide or for hands on experience and instruction, please consider taking Priveon's Cisco NAC Appliance Special Operations Class.