Re: Timeout Value

CompCJtoo · ‎07-02-2018

Hello. On our WLC we have the following

User Idle Timeout: 600 seconds

ARP Timeout: 300 seconds

WLAN in Use

Enable Session Timeout: 900 seconds

When I successfully authenticated to the wlan I noted 09:33:13 which correlates to the same in the wlc logs. When I plugged my laptop back into the LAN I noted 09:52:30. However, in the wlc logs the first indication of any de-authentication shows at 09:55:30. See below log message.

2018-07-02 09:55:30 Local6.Warning WLC_Controller: *Dot1x_NW_MsgTask_7: Jul 02 10:55:30.172: %DOT1X-4-MAX_EAP_RETRIES: [PA]1x_auth_pae.c:5717 Max EAP identity request retries (3) exceeded for client e4:b3:18:5f:b5:c7

2018-07-02 09:55:30 Local6.Error WLC_Controller: *Dot1x_NW_MsgTask_7: Jul 02 10:55:30.173: %CCAUDIT-3-CC_MSG: [PA]apf_80211.c:3527 WLC - User ID: e4:b3:18:5f:b5:c7 - Wireless user deauthenticated

2018-07-02 09:55:50 Local6.Error WLC_Controller: *apfReceiveTask: Jul 02 10:55:50.172: %CCAUDIT-3-CC_MSG: [PA]apf_80211.c:3527 WLC - User ID: e4:b3:18:5f:b5:c7 - Wireless user deauthenticated

So, this is approximately a 3 minute gap. I was wondering what timeout value if any would I find configured on the controller to justify this?

Scott Fella · ‎07-02-2018

Lets go over the timers you have mentioned. The arp, is just what it says and not really important to this. You have two main timers for clients, the session and the idle timer. The session timer is a hard forced deauth when a device is in the RUN state. This will force the device to re-authenticate after that timer expires. Now the idle timer is when the device goest to sleep and doesn't respond back to the AP. iPhones and iPads for example do this. The idle timer has to be less than the session timer. The session timer should be long (max 86400) so that you are not forcing a device to re-auth and cause user experience. The idle timer should be long enough to force an idea client to have to re-authenticate. Webauth causes devices to hit the login page in which sleeping client feature is preferred to be configured for this.

If a device has successfully auth and is in the RUN state and then the user switches to wired or another SSID, the NIC will or should I say might send a disassociation to the ap and thus you would see this in the log also.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎07-02-2018

My timers that I use:

Session: disabled (86400)

Idle Time: 300

With WebAuth:

Sleeping Client: 24 hours (depends on how often you want users to login)

-Scott
*** Please rate helpful posts ***

CompCJtoo · ‎07-02-2018

Scott,

Thanks for the explanation of the timers. Maybe I missed something, because I was simply searching the wlc logs by my wlan nic mac address and redirecting the output to a text file. I was more focused on why the 3 minute gap between me going back wired and then something being logged by the wlc?

Scott Fella · ‎07-02-2018

Well run a degbgoing to see a change until one of the timers expire. Run different test like switching to a different SSID, powering down the laptop while connected to the SSID and connecting your laptop to wired. The latter depends on if the bios shuts the wireless down after the wired port is detected. Again.... look at the state of the device.

-Scott
*** Please rate helpful posts ***