Re: Web authentication with layer 2 --> Clients get deauthentica

coe-newbie-414 · ‎01-30-2012

Hi folks,

I have a WLC 3750 with 41 APs. We use Web Authentication with the combination of a layer 2 security feature (WPA/WPA2 with PSK). With this combination some clients have the problem that they get deauthenticated and have to authenticate again while being in an active session.

For testing I disabled the layer 2 security feature i.e. I set it to "none" but I left the Web Authentication enabled. With these settings none of the clients has any more problems with getting deauthenticated. They stay online for the entire session.

I do want to use the layer 2 security feature in combination with the web authentication to gain a high security.

So any suggestions what I can do to use this combination without getting clients deauthenticated?

Thanks in advance! Let me also refer to my first thread https://supportforums.cisco.com/message/3546895#3546895

Best regards

Vivek Ganapathi · ‎02-04-2012

Hey,

Where you able to find a fix to this? I did went through your previous thread & i believe you are using authentication for some people on WLC & you face a reauth issue. Hope i got it right. Is there a specific time-frame a reauthentication happens?

I believe, this is not happening because of mobility of the wireless users. Authentication won't timeout when you move from one AP to another because your OS will maintain the session with WLC (as far is i understand - not confirmed though).

I think the users reporting the reauth issue could be running Windows7. If that's the case, probably a driver upgrade required to latest firmware release for the specific wireless card.

Thanks

Vivek

coe-newbie-414 · ‎02-05-2012

Hi,

thanks for your answer! Yes, you got it right ... I use web authentication for some people and I'm facing a reauth issue.

There's no specific time-frame the reauthentication happens. Might be after one minute, might also be after 5 hours.

The users reporting reauthentication use different OS ... From Windows XP over Windows 7 to MacOS. I also upgraded the drivers of the wireless cards but there was no improvement.

Maybe a firmware update of the WLC might help? Currently we use version 4.2.209.0

Or is there any other solution to authenticate users? We don't necessarily a login page. Users would be happy to see if we provide them with a different solution to authenticate so that they don't have to login every time they restart their computer. We don't have a RADIUS server but as far as I understood the WLC supports local EAP-TLS authentication?! However, I've seen that it is pretty complicated to implement this solution both on the WLC and the client?!

Thanks!

Best regards

Vivek Ganapathi · ‎02-06-2012

I tried to find some bugs via bug toolkit but couldn't see a match to the issue you mentioned above. But still you can try to upgrade the WLC firmware.

Yes you are right. Local EAP-TLS is complex. Lot of things to be done for this

1) Generate a CSR

2) Send the CSR for signing from a CA admin

3) CA admin will send that file to you in a format called DER / CER.

4) You need to convert that file format into .PEM (WLC only expects the file to be in PEM format)

Also, you need to export the certs to clients

I know the pain because i set this up. You should really have the knowledge of AD, LDAP etc etc for all this

Thanks

Vivek

coe-newbie-414 · ‎02-06-2012

Hey,

thanks for your help, I appreciate it! Sounds like a lot of work to implement EAP-TLS. I guess I'll have to find another solution

I'll tell my contractor to upgrade the firmware of the WLC, maybe this will help

Best regards

coe-newbie-414 · ‎03-29-2012

Hi

after several weeks my contractor upgraded the firmware of the WLC to the latest version (7.0.230.0). Unfortaunely it didn't help. I still have the same problem :/

Does anyone have any other idea to fix this problem?

Thanks!

Best regards

Web authentication with layer 2 --> Clients get deauthenticated