topic Re: I ended up answering my own in Network Access Control

Cisco ISE and WLC Timeout Best Practices

nrunge1 — Mon, 11 Mar 2019 05:20:59 GMT

I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.

I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.

Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

https://supportforums.cisco

Venkatesh Attuluri — Fri, 16 Jan 2015 12:29:56 GMT

https://supportforums.cisco.com/discussion/11216441/wlc-webauth-devices-timeout-and-have-reauth

https://supportforums.cisco.com/discussion/11974106/ise-reauthentication-timer

Refer the link for the

mohanak — Fri, 16 Jan 2015 13:26:14 GMT

Refer the link for the configuration : http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html

I probably should have been

nrunge1 — Sat, 17 Jan 2015 15:16:18 GMT

I probably should have been more specific. We aren't using CWA. It is 802.1X with PEAP as the outer method. AD is the identity source.

I think that I get the ISE side stuff (thanks for the links). The session timeout on the WLC is what I am most confused about.

What is the negative impact of turning off the session timeout on the WLC?

I ended up answering my own

nrunge1 — Mon, 19 Jan 2015 21:25:17 GMT

I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.

Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.

The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

Hi Runge,

ajc — Thu, 23 Mar 2017 19:55:19 GMT

Hi Runge,

What kind of devices are you connecting to the PEAP SSID?. Do you use Chromebooks?

thanks

I work at a college so we see

nrunge1 — Sat, 25 Mar 2017 18:26:10 GMT

I work at a college so we see pretty much everything. To the best of my knowledge not a lot of chromebooks though. We don't deploy and manage any as assets of the college.

Let me share something else

ajc — Mon, 27 Mar 2017 14:51:45 GMT

Let me share something else that I found after significant investigation.

When the enduser device gets a much better signal from an AP different to the one it was originally connected that device roams. You do not necessarily need to move so that happens. Because of that and based on how PEAP works, there is a reauthentication process that is not solved by fast reconnect/session resume which causes disconnections and it is clearly noticed when you are using sensitive applications like video or audio on the wifi. The only way to overcome this is using 802.11r/k BUT not all the manufacturers are supporting properly this standard.

I am still analyzing fast transition in the WLC and something new is coming from Cisco that helps Apple devices running OS 10+ without causing identified connectivity issues on the rest (android, win, etc) when you configure 802.11r/k in the WLC.

I will post later the links related to this.

You can also use CCKM for

Mitch D — Tue, 28 Mar 2017 22:30:25 GMT

For fast roaming you can also use CCKM for Cisco's proprietary "fast transition". Just like 802.1r not all devices support CCKM or 802.1r.

The Apple FastLane thru Cisco allowing the "adaptive" fast transitions is only applicable on the brand new 1800, 2800, and 3800 APs and the newest WLC 8.3 code. That's a big Cisco gotcha.

Edit: Despite what my TAC engineer said, this is not true. BU says Adaptive FT is supported on any AP that can run the 8.3 code.

Thanks Mitch. In fact, I know

ajc — Tue, 28 Mar 2017 22:30:26 GMT

Thanks Mitch. In fact, I know about that after talking to Cisco BU but I have not tested it but looks like is a good option because it allows Apple devices to FT without affecting or causing connectivity issues to the rest (android, win, etc).

Re: I ended up answering my own

Bob Bagheri — Sat, 09 Dec 2017 22:19:28 GMT

Hello,

Can you explain a bit more about the resolution:

"Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy"

Thanks in advance,
Bob

Re: I ended up answering my own

ziqex — Mon, 06 Feb 2023 08:42:32 GMT

Hi everyone,

Anyone able to share where in ISE re-auth value can be set as per below user's feedback?

Thanks

"Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy"

Re: I ended up answering my own

j.a.m.e.s — Wed, 17 Apr 2024 11:25:15 GMT

I'm also confused by what/how to set the AAA timers relevant to the WLC in ISE, but my educated guess is this:

1. Policy Elements -> Results -> <YourAuthorizationProfile> -> Common Tasks -> Reauthentication

2. Policy Elements -> Results -> <YourAuthorizationProfile> -> Advanced Attributes Settings -> Radius: Idle-Timeout

I think the Re-authentication timer should be 12hrs (43200) but I have also seen recommendations of 24hrs and I understand that's now the Cisco default in the latest 9800 WLCs. I think this timer was disrupting my wifi users because it was originally 3600s and the client had to re-send it's certificate which disrupts the WLAN operation.

The Idle-Timeout should be 3600 and refers to the client not sending any data or dropping from the AP.