topic Re: WLC Session timeout and Dot1x timeout in Wireless

WLC Session timeout and Dot1x timeout

Guilherme Gianotto Bratfisch — Mon, 05 Jul 2021 20:23:29 GMT

Hello Everyone,

I'm experiencing a problem that from time to time I have a disconnection from the wifi and it seems that everytime that it happens its perform the whole 802.1x authentication.

From debugging a client I`ve found these two timeouts:

Jun 01 11:06:41.646 *Dot1x_NW_MsgTask_5 Client will be required to Reauthenticate in 1800
seconds
Jun 01 11:06:41.646 *Dot1x_NW_MsgTask_5 Client will be required to Reauthenticate in 14400
seconds

The first is the session timeout from WLC and the second from the re-authorization that ISE push.

Now, my questions are:
1 - I tried to extend the session timeout in the WLC from 1800s to 28800(8hrs) and it seems that the day after the users were not able to connect, I had to revert back the sessions timeout to 1800s and they were able to connect again. Is there any way to check the sessions hang in the wlc ?

2 - Is this re-authentication from 802.1x is messing with the wifi connections ? On the ISE side I enabled the option to resume PEAP connections.(

Enable PEAP Session Resume

I would like to hear your thoughts on this.

Thanks in advance.

Re: WLC Session timeout and Dot1x timeout

Scott Fella — Fri, 04 Jun 2021 01:01:33 GMT

Without seeing how things are setup, I typically set the session timer to max (86400). When the session expires, that forces the client to perform a full authentication. This is by default, so if you don’t want devices to authenticate often, you adjust this timer higher. Session timer must be greater than idle timer. If clients fail to connect or having issues, it’s hard to believe that it’s increasing the session timer. Make sure that ISE is not defined to send a session timer and also take a look at the logs and possible open a tac case.

Re: WLC Session timeout and Dot1x timeout

Guilherme Gianotto Bratfisch — Fri, 04 Jun 2021 13:45:57 GMT

Hi,

Thanks for the comment, I`m not sure but everytime I tweak the timers in the WLC some clients have a hard time to connect, like not getting ip addresses even though I can see the authentication being successful on the ISE side.

I forgot to mention, our wifi is integrated in the sd-access fabric.

Yes, I'll have a TAC case open to help me figure it out where the problem is.

Thanks!

Re: WLC Session timeout and Dot1x timeout

Guilherme Gianotto Bratfisch — Fri, 04 Jun 2021 14:47:00 GMT

I was testing the timers for re-authentication in ISE on the Authorization profile we push to the client different from the values in the image.

And it seems that the iphone clients were unable to connect after I removed it or set ip very high (28800s).

Here is a debug of the failling client.

Why the client is failling only when I change the re-authentication timers in ISE ?

Re: WLC Session timeout and Dot1x timeout

Scott Fella — Fri, 04 Jun 2021 15:13:42 GMT

No idea.... I run 802.1x at home for testing and have all sort of iPhones and iPads with no issues. I don't change the defaults on ISE, the timers I change is on the controllers. I have no idea where the screen shot is from in ISE also.

Re: WLC Session timeout and Dot1x timeout

Scott Fella — Fri, 04 Jun 2021 15:16:08 GMT

I also don't have that checked in ISE under the authorization profile. Use the one on the WLAN.

Re: WLC Session timeout and Dot1x timeout

Guilherme Gianotto Bratfisch — Fri, 04 Jun 2021 15:27:20 GMT

If I remove the option unde the authorization profile my iphone clients cant reconnect to the wlan after being disconnected.

I think it might be a mismatch somewhere...I`m trying to go over the debugs.

Thanks for the support!

Re: WLC Session timeout and Dot1x timeout

Guilherme Gianotto Bratfisch — Fri, 04 Jun 2021 17:33:08 GMT

I've created an Authorization profile from scratch and it seems to work.

-I removed the re-authentication option.

It seems that the client, ise or the wlc dont like when I change a authorization profile already in place but I still dont know why.

Thanks!

Re: WLC Session timeout and Dot1x timeout

Scott Fella — Fri, 04 Jun 2021 19:10:47 GMT

Well you should define it in one place and typically that is on the controller since session timer is mandatory. You don't want different values in different locations as that will not line up.