I probably should have been more specific. We aren't using CWA. It is 802.1X with PEAP as the outer method. AD is the identity source. 

I think that I get the ISE side stuff (thanks for the links). The session timeout on the WLC is what I am most confused about.

What is the negative impact of turning off the session timeout on the WLC?

I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.

Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.

The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

Hi Runge,

What kind of devices are you connecting to the PEAP SSID?. Do you use Chromebooks?

thanks

I work at a college so we see pretty much everything. To the best of my knowledge not a lot of chromebooks though. We don't deploy and manage any as assets of the college. 

Let me share something else that I found after significant investigation.

When the enduser device gets a much better signal from an AP different to the one it was originally connected that device roams. You do not necessarily need to move so that happens. Because of that and based on how PEAP works, there is a reauthentication process that is not solved by fast reconnect/session resume which causes disconnections and it is clearly noticed when you are using sensitive applications like video or audio on the wifi. The only way to overcome this is using 802.11r/k BUT not all the manufacturers are supporting properly this standard.

I am still analyzing fast transition in the WLC and something new is coming from Cisco that helps Apple devices running OS 10+ without causing identified connectivity issues on the rest (android, win, etc) when you configure 802.11r/k in the WLC.

I will post later the links related to this.

For fast roaming you can also use CCKM for Cisco's proprietary "fast transition". Just like 802.1r not all devices support CCKM or 802.1r. 

The Apple FastLane thru Cisco allowing the "adaptive" fast transitions is only applicable on the brand new 1800, 2800, and 3800 APs and the newest WLC 8.3 code. That's a big Cisco gotcha.

Edit: Despite what my TAC engineer said, this is not true. BU says Adaptive FT is supported on any AP that can run the 8.3 code.

Thanks Mitch. In fact, I know about that after talking to Cisco BU but I have not tested it but looks like is a good option because it allows Apple devices to FT without affecting or causing connectivity issues to the rest (android, win, etc).

Hello,

Can you explain a bit more about the resolution:

"Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy"

Thanks in advance,
Bob

Hi everyone, 

Anyone able to share where in ISE re-auth value can be set as per below user's feedback?

Thanks

"Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy"

I'm also confused by what/how to set the AAA timers relevant to the WLC in ISE, but my educated guess is this:

1. Policy Elements -> Results -> <YourAuthorizationProfile> -> Common Tasks -> Reauthentication

2. Policy Elements -> Results -> <YourAuthorizationProfile> -> Advanced Attributes Settings -> Radius: Idle-Timeout

I think the Re-authentication timer should be 12hrs (43200) but I have also seen recommendations of 24hrs and I understand that's now the Cisco default in the latest 9800 WLCs. I think this timer was disrupting my wifi users because it was originally 3600s and the client had to re-send it's certificate which disrupts the WLAN operation.

The Idle-Timeout should be 3600 and refers to the client not sending any data or dropping from the AP.