cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

7917
Views
5
Helpful
10
Replies
Highlighted
Beginner

Cisco ISE and WLC Timeout Best Practices

I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.

I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.

Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

 

10 REPLIES 10
Highlighted
Cisco Employee

https://supportforums.cisco.com/discussion/11216441/wlc-webauth-devices-timeout-and-have-reauth

https://supportforums.cisco.com/discussion/11974106/ise-reauthentication-timer

Highlighted

I probably should have been more specific. We aren't using CWA. It is 802.1X with PEAP as the outer method. AD is the identity source. 

I think that I get the ISE side stuff (thanks for the links). The session timeout on the WLC is what I am most confused about.

What is the negative impact of turning off the session timeout on the WLC?

 

 

Highlighted

I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.

 

Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.

 

The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.

Highlighted
Frequent Contributor
Frequent Contributor

Hi Runge,

What kind of devices are you connecting to the PEAP SSID?. Do you use Chromebooks?

thanks

Highlighted

I work at a college so we see pretty much everything. To the best of my knowledge not a lot of chromebooks though. We don't deploy and manage any as assets of the college. 

Highlighted
Frequent Contributor
Frequent Contributor

Let me share something else that I found after significant investigation.

When the enduser device gets a much better signal from an AP different to the one it was originally connected that device roams. You do not necessarily need to move so that happens. Because of that and based on how PEAP works, there is a reauthentication process that is not solved by fast reconnect/session resume which causes disconnections and it is clearly noticed when you are using sensitive applications like video or audio on the wifi. The only way to overcome this is using 802.11r/k BUT not all the manufacturers are supporting properly this standard.

I am still analyzing fast transition in the WLC and something new is coming from Cisco that helps Apple devices running OS 10+ without causing identified connectivity issues on the rest (android, win, etc) when you configure 802.11r/k in the WLC.

I will post later the links related to this.

Highlighted

For fast roaming you can also use CCKM for Cisco's proprietary "fast transition". Just like 802.1r not all devices support CCKM or 802.1r. 

The Apple FastLane thru Cisco allowing the "adaptive" fast transitions is only applicable on the brand new 1800, 2800, and 3800 APs and the newest WLC 8.3 code. That's a big Cisco gotcha.

Edit: Despite what my TAC engineer said, this is not true. BU says Adaptive FT is supported on any AP that can run the 8.3 code.

Highlighted
Frequent Contributor
Frequent Contributor

Thanks Mitch. In fact, I know about that after talking to Cisco BU but I have not tested it but looks like is a good option because it allows Apple devices to FT without affecting or causing connectivity issues to the rest (android, win, etc).

Highlighted

Hello,

 

Can you explain a bit more about the resolution:

 

"Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy"

 

Thanks in advance,
Bob

 

Highlighted
Cisco Employee

Content for Community-Ad