cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

181
Views
0
Helpful
2
Replies
Beginner

WLC CWA with ISE - Client disconnection issues

Hi, i'm working in CWA deployment using WLC and ISE. It's works as expected but I have many problems with client disconnections issues.

 

This is the flow:

- Client connect to open ssid (hidden) and using MAB ISE show up a guest portal. 

- When client is authenticated ISE send CoA to WLC and client is re authenticated.

- ISE permit access with a reauthentication timeout of 28800 seg.

 

The problem is that users report that need to reauthenticate again (guest portal) two or three times in this 8 hours

 

At WLC the configuration timers are:

Advanded-> Enable Session Timeout -> 3600 

Client user idle timeout(15-100000) -> 14400

 

I have been able to try that reauth occurs when users roam from AP or when users go out (coffe break for example) and then back clients need to authenticate again via guest portal

 

¿With client idle timeout session is mantained for 4h when client idle?

How I can do more to adjust this timers and the client not need to re authenticate in 8hours

 

Thanks in advance

 

CCNP R&S, CCNP Security, CCNA CyberOps
2 REPLIES 2
Highlighted
VIP Advocate

Re: WLC CWA with ISE - Client disconnection issues

The Session-Timeout value that you see in the WLC's WLAN profile is the session timeout that applies to clients who have not passed the CWA Portal authentication (and that includes things like users who have not yet clicked on the AUP).

Once the guest is officially authenticated, ISE sends a CoA to the WLC and that triggers the client disconnection. The MAB auth will be sent to ISE again, and this time ISE will know this is an authenticated guest and this is the point where you should send the Access-Accept and Session-Timeout = 28800 ( 8 hours) 

 

regards

Arne

Beginner

Re: WLC CWA with ISE - Client disconnection issues

Thanks Arne for the clarification, as I expected the configuration seens to be right.

 

In this case, the session-timeout in the WLC must be short for avoid clients to take long time wihout auth. As I said, clients report issues because the portal appears more than one time in this 8 hours.

 

What can I configure, test or change so that the user only has to authenticate once during that time?

 

Thanks in advance

CCNP R&S, CCNP Security, CCNA CyberOps
CreatePlease to create content
Content for Community-Ad

August's Community Spotlight Awards