cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Web-authentication Timeout: Accessing Pre-auth ACL allowed traffic for a longer duration

1343
Views
0
Helpful
0
Comments

 

Introduction

Dhiresh Yadav is a wireless expert and working for the Cisco's High Touch Technical Support (HTTS) team, a team that provides reactive technical support to majority of Cisco’s premium customers. In this document Dhiresh has explained configuration steps required for a Web-auth SSID to allow a VPN user without needing a full web-auth authentication and still not get disconnected after every few minutes.

Requirements

How to configure the Wireless LAN Controller for basic operation and Web-auth.

Components used

Cisco 5500 Series WLC that runs firmware Version 8.0.100.0.

Note: The Configuration and web-auth explanation provided below is applicable to all WLC models and any CUWN image equal to or above 8.0.100.0.

Overview

In a Customer network setup ,there are sometimes requirements to allow VPN by connecting to a Web-auth enabled wlan without authentication and hence finish web-authentication.VPN traffic is allowed by a Pre-auth ACl and hence VPN users can connect to the web-auth SSID without requiring authentication.This SSID might be in use by another set of users also who go through normal and full authentication to get the Internet access.The problem for these VPN users is that they pick the ip address but never finish complete authentication while connecting to VPN , So instead of session timeout , Web-auth timeout kicks in and the client is deauthenticated.

*apfReceiveTask: Sep 03 12:01:55.694: 00:24:d7:cd:ac:30 172.30.0.118 WEBAUTH_REQD (8) Web-Auth Policy timeout
*apfReceiveTask: Sep 03 12:01:55.694: 00:24:d7:cd:ac:30 172.30.0.118 WEBAUTH_REQD (8) Pem timed out, Try to delete client in 10 secs.


The value of this timer is 5 Minutes and has a fixed value till 7.6 WLC image.So it will make the wireless network nearly unusable for these kind of users because of this low web-auth session timeout value. The capability to change this value is added in 8.0. So if the client is not hitting the Idle timeout , it can access VPN via Pre-auth ACL allowed traffic and need not to go through Web-authentication or face disconnection for a longer period of time.

Configuration

Configure the WLC
 
Complete the following configuration in order to configure the WLC for this setup:
 

(WLC)>config wlan create <wlan_id>
(WLC)>config wlan security web-auth {enable | disable} <wlan_id>
(WLC)>config wlan security web-auth timeout ?

<value> Configures Web authentication Timeout (300-14400 seconds).
 
(WLC)>config wlan security web-auth timeout 3600 <Wlan_id> 

Verify

You should be able to see the Web-auth session timeout value for that Wlan as shown below:
 

(WLC)>show wlan 10
Web Based Authentication...................... Enabled
Web Authentication Timeout.................... 3600


Troubleshooting 

Use "debug client <mac-address>" to see web-auth timer kicking for the user connecting to VPN without authentication.

More Information

Cisco Wireless LAN Controller Configuration Guide, Release 7.0 - Configuring WLANs

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards