Solved: ISE Sponsor authenticated users timeout

ghannoun · ‎11-20-2019

team, in ISE, device authenticated through a sponsor, needs to reauthenticate every 20 min. any idea how to change this and make it at least 8h? i already checked the WLC and the timeout value is set to maximum 65535. anything else to modify?

Arne Bier · ‎11-20-2019

The WLAN Session Timeout value that you refer to, only applies for unauthenticated sessions - in other words, the timer starts as soon as the client associates to the Open SSID and as long as the session is in WebAuth Requd state - this means the user session stays up for 65535 seconds (waiting for them to log in!).

To fix this you need to enabled AAA Override on the WLAN. Then you can return a Session-Timeout value of 28800 seconds in your ISE Authorization Profile (for a successful Portal Authentication).

Check in the WLC Client Details page - you should see that the Session timer counts down from 28800.

View solution in original post

Arne Bier · ‎11-20-2019

The WLAN Session Timeout value that you refer to, only applies for unauthenticated sessions - in other words, the timer starts as soon as the client associates to the Open SSID and as long as the session is in WebAuth Requd state - this means the user session stays up for 65535 seconds (waiting for them to log in!).

To fix this you need to enabled AAA Override on the WLAN. Then you can return a Session-Timeout value of 28800 seconds in your ISE Authorization Profile (for a successful Portal Authentication).

Check in the WLC Client Details page - you should see that the Session timer counts down from 28800.

Jason Kunst · ‎11-22-2019

I also recommend checking out the prescriptive guest guide under http://cs.co/ise-guest