I agree with Nicholas, but I don't think that will work if devices are shut down or restarted.  I say this, because when I test different web authentications when customizing the splash page, I usually disable or restart the wireless card in order to be able to get the login screen again.  Even with an iPhone or iPad, if you turn off the wireless and turn it on again, you will get the login page.

Idle timeout is going to be the kicker here (or whatever task is removing a client entry from the wlc database)

Bottom line: as long as a client entry is not removed from the WLC, it should not have to re web-auth.

Session timeout is a hard stop, so yes you could limit the session timeout to 12 hours and that answers half the equation. The other problem is that the WLC will "remove" a client by default after 5 minutes of an AP not hearing from the client. So a client who is shut down, or in power-save (no wireless packets), will be deauthenticated after the idle timeout period.

Some people like to increase the idle timeout..... but thats more of a workaround for an unusual request.

If your client is being forced to re-authenticate with web-auth and you dont think it is supposed to,  I'd run a "debug client "  and figure out WHY the WLC removed the client in the first place.

Idle user timeout hasnt worked for me in this exmaple. By this I mean, if I have a guest client and he accepts the splash page when he disconects and then reconnects to guest, he gets the splash page again.

Is it suppose to work that way?

If you gently disconnect  your client from the SSID, the client sends a deauthenticate frame. The WLC deletes the client entry no matter what timeout you configured.

When the client reconnects, it's a new client entry so you get the splash page agian.

The user idle timeout is when you brutally shut down your laptop, or move away, so no deauthenticate frame was sent the client just goes silent. The idle timeout defines how long the WLC waits before deleting the client entry when it's not hearing AT ALL a single frame from the client.

Hope it clarifies :-)

Maybe I'm wrong here.... but I'm pretty sure the AP/WLC doesn't even listen to Deauths from a client (that would subject clients to a DoS if we did, right?). For some reason I want to say we will not listen to a deauth from "the client"...

In the "past", there was a bug with Idle Timeout where we were removing clients after maximum retransmissions to the Client, but that has been corrected. So as far as I know,  you should only see a client removed from the WLC because of a timeout incident or it roaming to another WLC (L2).

George, in your example:

If a client isn't in a webauth_reqd state, they shouldn't have to web authenticate.

If your client is disconnecting and reconnecting and going to a webauth_reqd state,  that would imply the client state was removed from the wlc.....    simple client debug would tell you what really happened.

Hi Everyone, thanks for your reply, i am pretty sure what i am setting on idle timeout and session timeout

the web authentication will indicate the re-authentication, after the PC send out a de-authenticate packet to AP/WLC when it change state to shutdown or standby, but this is not sure, I need to use the debugger to find out the root cause.

I tired to change it to use WPA2 with 802.1X, override AAA option is checked, idle timeout and session timeout is configured in Windows IAS server, but still no luck, i will go the try the debugger to see the whole story of the client PC first, anyway thanks all!~ you gave me big support here~