topic wlc 5500 authentication timeout in Wireless

wlc 5500 authentication timeout

Sean McCoy — Mon, 05 Jul 2021 06:58:01 GMT

I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)

wlc 5500 authentication timeout

matthew gosling — Wed, 15 Jan 2014 04:40:48 GMT

On the WLAN > ADVANCED Tab what is the Enable session timout set to ?

wlc 5500 authentication timeout

Sandeep Choudhary — Wed, 15 Jan 2014 06:36:38 GMT

HI Sean,

You can set the session timeout up to 24 hours but I don't think that will work if devices are shut down or restarted.

Note: If clients are active after successful login, they will get de-authenticated and entry can still be removed from the controller after the session timeout period configured on that WLAN (for example,1800 seconds by default and can be changed using this CLI command: config wlan session-timeout ). When this occurs, client entry is removed from the controller. If the client associates again, it will move back in a Webauth_Reqd state.

By GUI:

WLANs > WLAN ID > Advanced > Enable Session Timeout. and set the value.

------

Just for info:

In the newer code, there is a mac filter bypass option that lets you put a MAC address in that you want to bypass the WebAuth page. These devices will not have to authenticate at all to the WebAuth.

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_wlan.html#wp1460408

Regards

Dont forget to rate helpful posts

Re: wlc 5500 authentication timeout

Scott Fella — Wed, 15 Jan 2014 09:37:20 GMT

Sean,

Can you post the show WLAN

Sent from Cisco Technical Support iPhone App

Re: wlc 5500 authentication timeout

Sean McCoy — Mon, 20 Jan 2014 15:42:03 GMT

Scott-

Here are the results of the sho WLAN cmd:

(Cisco Controller) >show wlan 3

WLAN Identifier.................................. 3
Profile Name..................................... OBSD BYOD
Network Name (SSID).............................. OBSD-BYOD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 25
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ g9c-guest
Multicast Interface.............................. Not Configured

--More-- or (q)uit
WLAN ACL......................................... Guest WiFi Internet Only
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers

--More-- or (q)uit
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Enabled
ACL............................................. Web Auth
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled

--More-- or (q)uit
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------

Re: wlc 5500 authentication timeout

Scott Fella — Mon, 20 Jan 2014 16:02:43 GMT

You must be on v7.0, 7.2 or 7.3.... make sure you set the idle timeout to 2-4 hours. This will be located on the GUI under the Controller tab.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Re: wlc 5500 authentication timeout

Sean McCoy — Mon, 20 Jan 2014 16:16:11 GMT

Scott-

What I cannot figure out is the fact that this only occurs on that specific WLAN. I have another WLAN on that controller that I have no timeout issues with.

Sean

Re: wlc 5500 authentication timeout

Scott Fella — Mon, 20 Jan 2014 16:18:57 GMT

Idle timeout is specific to WebAuth only, not open, WEP, PSK or 802.1x. Certain devices like Apple, will timeout with WebAuth when the device goes to sleep and then you have to login again.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Re: wlc 5500 authentication timeout

Sean McCoy — Mon, 20 Jan 2014 16:32:38 GMT

That WLAN is for my BYOD traffic. Is there any security concern changing from WebAuth to PSK or 802.1x?

wlc 5500 authentication timeout

Scott Fella — Mon, 20 Jan 2014 17:46:19 GMT

Well if this is for guest, then yes.... you don't want to have to support guest users by changing encryption... WebAuth is the way to go, you just need to change the idle timer to account for these devices that drop off.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

wlc 5500 authentication timeout

Sean McCoy — Mon, 20 Jan 2014 18:50:32 GMT

So v7.1.91.0 should work or do I need to go to 7.2?

Re: wlc 5500 authentication timeout

Sandeep Choudhary — Mon, 20 Jan 2014 19:00:42 GMT

You can use either.....

Just for info:

The Cisco 3600 Access Point was introduced in 7.1.91.0. If your network deployment uses Cisco 3600 Access Points with release 7.1.91.0, its highly recommend that you upgrade to 7.2.103.0 or a later release.

Regards

Re: wlc 5500 authentication timeout

Scott Fella — Mon, 20 Jan 2014 19:07:45 GMT

Go with v7.4.110.0 if possible. There were some issue with 3600's on v7.2 or v7.3. Either way, v7.0 is Cisco's stable code but since the 3600's are not supported on that, the next real stable code is v7.4.x.

Sent from Cisco Technical Support iPhone App

Re: wlc 5500 authentication timeout

Sean McCoy — Mon, 20 Jan 2014 19:09:39 GMT

Do you need a contract on those to be able to get the upgraded code?

Re: wlc 5500 authentication timeout

Scott Fella — Mon, 20 Jan 2014 19:12:41 GMT

Yes you do.

Sent from Cisco Technical Support iPhone App

wlc 5500 authentication timeout

Sean McCoy — Thu, 23 Jan 2014 21:50:48 GMT

Scott-

One other question...what is the difference between the user idle timeout (Controller>User Idle Timeout) and the session timeout (WLAN>WLAN Name>Advanced>Enable Session Timeout) on the controller and does one override the other?

Sean

Re: wlc 5500 authentication timeout

Scott Fella — Fri, 24 Jan 2014 01:41:37 GMT

Session timer is a forced deauth of clients after the value has expired. Idle timer is a forced deauth of the client when the client is in an idle state. When I say deauth, I mean the client is removed from the WLC and the client will deauth and the timer starts again. The session timer has to be higher than the idle timer and is usually set high or disable by setting to 0. Idle timer is default at 300 and is fine but typically for Apple devices using WebAuth, you need to set this 2+ hours. A good example is when using WebAuth for guest users. When an iPhone or iPad goes to sleep, screen goes blank, this triggers the idle timer and it start counting down. Default is 300 seconds or 5 minutes, so after 5 minutes, all if a sudden the user turns on his or her device and now has to login again. Do you really want guest users to login again? This is where increasing the idle timer comes into play. A user now can go to lunch for a couple hours and come back without having to log back in. Now if your policy states that every
8 hours a guest has to login. Then you set your session tee to 8 hours.

Session timer 8 hours
Idle timer 3 hours

So now the device will not timeout unless they are idle for past 3 hours and now will automatically be forced to login again after 8 when the session timer expires.

Hope this makes sense.

Sent from Cisco Technical Support iPhone App