11-24-2011 12:09 AM - edited 07-03-2021 09:07 PM
My client would like to setup an environment that the user do not need to re-authenticate within 12 hours, even the user's PC switched off or restarted within this preiod, my client is using Web Auth + IAS radius authentication, thanks for your help!
11-24-2011 04:16 AM
You can set the session timeout up to 24 hours. That's the max and webauth users will have no other option than re-login every day.
If you want a guest PC to stay connected for longer periods, I doubt that the guest portal solution is the best for your use case.
11-24-2011 10:24 AM
I agree with Nicholas, but I don't think that will work if devices are shut down or restarted. I say this, because when I test different web authentications when customizing the splash page, I usually disable or restart the wireless card in order to be able to get the login screen again. Even with an iPhone or iPad, if you turn off the wireless and turn it on again, you will get the login page.
11-24-2011 08:15 PM
Idle timeout is going to be the kicker here (or whatever task is removing a client entry from the wlc database)
Bottom line: as long as a client entry is not removed from the WLC, it should not have to re web-auth.
Session timeout is a hard stop, so yes you could limit the session timeout to 12 hours and that answers half the equation. The other problem is that the WLC will "remove" a client by default after 5 minutes of an AP not hearing from the client. So a client who is shut down, or in power-save (no wireless packets), will be deauthenticated after the idle timeout period.
Some people like to increase the idle timeout..... but thats more of a workaround for an unusual request.
If your client is being forced to re-authenticate with web-auth and you dont think it is supposed to, I'd run a "debug client
11-25-2011 09:27 AM
Idle user timeout hasnt worked for me in this exmaple. By this I mean, if I have a guest client and he accepts the splash page when he disconects and then reconnects to guest, he gets the splash page again.
Is it suppose to work that way?
11-25-2011 09:44 AM
If you gently disconnect your client from the SSID, the client sends a deauthenticate frame. The WLC deletes the client entry no matter what timeout you configured.
When the client reconnects, it's a new client entry so you get the splash page agian.
The user idle timeout is when you brutally shut down your laptop, or move away, so no deauthenticate frame was sent the client just goes silent. The idle timeout defines how long the WLC waits before deleting the client entry when it's not hearing AT ALL a single frame from the client.
Hope it clarifies :-)
11-25-2011 12:22 PM
Maybe I'm wrong here.... but I'm pretty sure the AP/WLC doesn't even listen to Deauths from a client (that would subject clients to a DoS if we did, right?). For some reason I want to say we will not listen to a deauth from "the client"...
In the "past", there was a bug with Idle Timeout where we were removing clients after maximum retransmissions to the Client, but that has been corrected. So as far as I know, you should only see a client removed from the WLC because of a timeout incident or it roaming to another WLC (L2).
George, in your example:
If a client isn't in a webauth_reqd state, they shouldn't have to web authenticate.
If your client is disconnecting and reconnecting and going to a webauth_reqd state, that would imply the client state was removed from the wlc..... simple client debug would tell you what really happened.
11-25-2011 08:53 PM
Hi Everyone, thanks for your reply, i am pretty sure what i am setting on idle timeout and session timeout
the web authentication will indicate the re-authentication, after the PC send out a de-authenticate packet to AP/WLC when it change state to shutdown or standby, but this is not sure, I need to use the debugger to find out the root cause.
I tired to change it to use WPA2 with 802.1X, override AAA option is checked, idle timeout and session timeout is configured in Windows IAS server, but still no luck, i will go the try the debugger to see the whole story of the client PC first, anyway thanks all!~ you gave me big support here~
09-26-2013 12:20 AM
Hello All,
I`d like to ask you about the issue with WLC firmware 7.5. We have Guest access and I turn off all the timers (i know it is not recommended). Once client confirms the web page (no username and pass is needed, web passthrough is set up), he can access the network and I can see him under Clients on the WLC. But the issue is, once the device asleep and user wakes it up, the legal notice appears again and he needs to confirm it again. On the other sites, where are older versions of WLC (7.4 or 7.3) we don`t have this issue. I found out, there is a new menu "Sleeping clients" and also I read about the policy, where I can setup separate timer for sleeping clients, but my understanding is, that is only if I`d like to use different timers for sleeping clients ... Is there any known bug, or do I need to setup something differently than on the older versions of WLC?
Thanks for advice.
Pavol Jasurek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: