06-04-2012 10:52 PM - edited 07-03-2021 10:14 PM
I Would like the WLAN users to get authenticated one time using username and password , im wondering which method can be used .
06-05-2012 02:14 AM
What security type you have for your wlan?
Sent from Cisco Technical Support iPad App
06-05-2012 05:21 AM
I have the option to use and security method that allow me to use a user name and password
Sent from my iPhone
06-05-2012 05:41 AM
If you are using 802.1x authentication, you can control the user quotas from the radius server.
You can create a user and allow it for only 1 absolute session. You can also decide if they have one session per week or per day...etc. You can also control how session time (2 hours for a session for example).
This depends on your radius server functionality if it provides those features.
Also, you can create a user that is only valid in a time limit (vlaid for 8 hours only for example) so when it connects the sessoin starts counting and the user not valid to authenticate after 8 hours from his/her first success authenticatoin. (you can use this option with or without the session limit above). This (time limit) is also valid if you want to use web-auth WLAN.
Again, you need to check if those options available in your radius server.
HTH
Amjad
06-05-2012 05:51 AM
Hi Amjad ,
Many thanks !
Do you have guide for that ?
I already configured radius authentication and it working fine
Regards ,
Amro
Sent from my iPhone
06-05-2012 06:05 AM
Btw I forgot to tell you that I'm using cisco ACS as radius server
Sent from my iPhone
06-05-2012 06:16 AM
Hi Ahmed,
there is a time-out method under WLAN "name" on the controller, which you can increase or decrease to keep session alive without timeing out.
thanks
Rizwan Rafeek
06-05-2012 06:23 AM
Hi Rizwan,
I tried that option but it didn't work
Sent from my iPhone
06-05-2012 12:01 PM
Hello Amro,
I had this issue before on my wlan controller, what I have suggested to you was the solution to my problem.
If you have tried that already and didn't help you, I would recommand to you look into radius server itself, there might be a parameter that you could set to 24hrs at least.
thanks
06-06-2012 12:52 AM
Salam Rizwan:
Controlling the session time-out can not help in making a client authentication ONE TIME ONLY.
It can affect the session and the user may get disconnected after the session times out. However, the user is still able to connect again and authentiate (if he knows the credentials).
Amro: What is the ACS version you are having?
on ACS 4.x the option is available either under user options.
Thanks.
Amjad
06-06-2012 01:20 AM
Hi Amjad ,
Im using ACS 4.2 . i found the options but im not sure if it can work with web auth instead of 802.1x .
Regards ,
Amro
Date: Wed, 6 Jun 2012 01:52:54 -0600
From: supportforums-donotreply@supportforums.cisco.com
To: satla3@hotmail.com
Subject: - Re: Disable re authentication for wlan users
Home
Re: Disable re authentication for wlan users
created by Amjad Abdullah in Getting Started with Wireless - View the full discussion
Salam Rizwan:Controlling the session time-out can not help in making a client authentication ONE TIME ONLY.It can affect the session and the user may get disconnected after the session times out. However, the user is still able to connect again and authentiate (if he knows the credentials). Amro: What is the ACS version you are having?on ACS 4.x the option is available either under user options. Thanks. Amjad
Reply to this message by going to Home
Start a new discussion in Getting Started with Wireless at Home
06-06-2012 02:53 AM
Hi Amro,
It does not work with web-auth if you are using radius as a user DB to authenticate clients.
If you noticed, I started my first reply above with "If you are using 802.1x authentication, you can control the user quotas....etc".
with 802.1x auth there are attributes that tell the WLC about many things including Layer 2 reauth timeout for clients. (represented in pmk lifetime because when the pmk expires the reauth is needed automatically).
If you are using web-auth then those attributes are not sent to the wlc and hence wlc uses his own timeout methods to control timeout of the client (session-timeout, user idle-timeout...etc).
If you use web-auth what you can do is to create a user and mention the lifetiem of the user on the radius. You can not specify however the number of sessions the user can do. The user may disconnect and connect many times as long as his username is valid on the radius.
If the user lifetime expired on radius, the user does not immedietly disconnected. However, it needs to wait until next session-timeout (or idle-timeout) timer on WLC to expire (or the user manually disconnect). After that if the clients try to re-connect it will not be able to becaue the radius user is no longer valid to connect.
If you want the web-auth user to be directly deleted after its configured timeout expires you need to configure the usrs on local WLC DB, not on radius.
HTH
Amjad
06-06-2012 03:12 AM
Amjad , Its working fine now , Many Thanks for your support . Im now struggling on another issue , our customer would like to use AD instead of ACS .I tried to configure LDAP generic DB on ACS but unfortunatly it support TACACS+ only ( RADIUS is not supported ). Any Idea about this ? BTW our customer is having Cisco NAC CAM, CAS and Profiler . i know that NAC can do the work , but we are trying to keep it as the last option . Regards , Amro
Date: Wed, 6 Jun 2012 03:54:17 -0600
From: supportforums-donotreply@supportforums.cisco.com
To: satla3@hotmail.com
Subject: - Re: Disable re authentication for wlan users
Home
Re: Disable re authentication for wlan users
created by Amjad Abdullah in Getting Started with Wireless - View the full discussion
Amro:It does not work with web-auth if you are using radius as a user DB to authenticate clients.If you noticed, I started my first reply above with "If you are using 802.1x authentication, you can control the user quotas....etc".with 802.1x auth there are attributes that tell the WLC about many things including Layer 2 reauth timeout for clients. (represented in pmk lifetime because when the pmk expires the reauth is needed automatically).If you are using web-auth then those attributes are not sent to the wlc and hence wlc uses his own timeout methods to control timeout of the client (session-timeout, user idle-timeout...etc). If you use web-auth what you can do is to create a user and mention the lifetiem of the user on the radius. You can not specify however the number of sessions the user can do. The user may disconnect and connect many times as long as his username is valid on the radius.If the user lifetime expired on radius, the user does not immedietly disconnected. However, it needs to wait until next session-timeout (or idle-timeout) timer on WLC to expire (or the user manually disconnect). After that if the clients try to re-connect it will not be able to becaue the radius user is no longer valid to connect. If you want the web-auth user to be directly deleted after its configured timeout expires you need to configure the usrs on local WLC DB, not on radius. HTH Amjad
Reply to this message by going to Home
Start a new discussion in Getting Started with Wireless at Home
06-06-2012 03:30 AM
Amro:
I am glad that it is now working
don't forget please to mark correct answers. ;-)
about your issue, you can simply use external DB with ACS and add the AD as external DB.
also, what do you mean by only TACACS+ with generic LDAP on ACS? radius is also supported of course! not only TACACS+.
Please open a new thread for the new issue and we'll be glad to assist.
Amjad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide