Solved: Re: C9800 session timeout timer

Charlie Grey · ‎07-07-2022

Hi,

can someone enlighten the below quote for C9800 session timeout?

So what does it means when u set session timeout value of 0 on C9800 WLC?

does it means the default value of 86400 seconds (24 hours) will be applied and wifi client will d/c after 24 hours?

"In AireOS, a session timeout that is set to 0 (zero) means the maximum possible timeout. In the C9800, it actually means “no session timeout,” so if you use the same setting as in AireOS, every roam will require a full reauthentication."

Rasika Nayanajith · ‎07-08-2022

There is no way to disable it on 9800.

By increasing it to 24hrs you let the client re-authenticate every 24hrs (In general your clients should not remain connected that long anyway)

Do you have any specific requirements for having a client connected for a longer duration without reauthentication?

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

balaji.bandi · ‎07-07-2022

does it means the default value of 86400 seconds (24 hours) will be applied and wifi client will d/c after 24 hours?

yes, correct..

there are some changes after 17.4.X

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html

Also need to understand Roaming :

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116493-technote-technology-00.html#anc21

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Charlie Grey · ‎07-08-2022

any way to disable session timeout on C9800 just like AireOS WLC?

Rasika Nayanajith · ‎07-08-2022

There is no way to disable it on 9800.

By increasing it to 24hrs you let the client re-authenticate every 24hrs (In general your clients should not remain connected that long anyway)

Do you have any specific requirements for having a client connected for a longer duration without reauthentication?

HTH

Rasika

*** Pls rate all useful responses ***

TD888 · ‎05-18-2023

Not clients but Admin access, I'm sure there's a hack.

Seaquest88 · ‎12-12-2023

Is there a way to workaround this max limit of 24hrs?

we have a scenario that requires client to be connected perpetually. This is not the usual IT environment but rather in the process industry. The wireless tablet client needs to be connected without dropping.

Scott Fella · ‎12-12-2023

There is no way to disable this. I really don't think having this would cause issue, because there are a lot of manufacturing, healthcare as an example that has implemented Cisco wireless. Re-auth is fast as long as there are no issues, just like if the device roamed to a different access point.

If you can test, set the idle timer lower than the session timer, but set the session timer low so you can see what actually happens.

-Scott
*** Please rate helpful posts ***

Seaquest88 · ‎12-14-2023

Thanks for pointing it out.

The problem is with the re-authentication after the client got disconnected. By right it should re-authenticate successfully but it does not. From the logs, there is a timeout, I am not sure why. Wonder if it could be some bug.

%DOT1X-5-FAIL: Chassis 1 R0/0: wncd: Authentication failed for client (mac) with reason (Timeout) on Interface capwap_9000006c

balaji.bandi · ‎07-08-2022

not that i aware and best practice to do as per the document.

@Rasika Nayanajith i take his suggestion too.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JPavonM · ‎06-01-2023

Let me update this thread with some notes from my latest investigations with client disconnections (Windows). The problem from a WLAN engineer's perspective is that normally this part is not taken into account, as it is on the WinTel team side and it's hard to influence decisions on them. Same happen with tuning driver parameters regarding roaming aggresiveness, preferred band and some others that maybe available in all operating systems.

Take into consideration that this is my recommendation based on timer values in Cisco’s Best Practices, and some others have been tuned to address some known issues with drivers (like GTK issue seen with Mediatek WiFi6 chipsets).

Please feel free to add any comment or any recommended value from other best practices, or add same parameters for other operating systems such as MacOs or Linux.

CATALYST 9800 CONFIG:

// Number of retries in the event of not receiving counterpart from device
wireless security dot1x eapol-key retries 2
!
// Period in milliseconds between consecutive retries
wireless security dot1x eapol-key timeout 1000
!
// This setting is governed from the WLAN infrastructure and shared with the client so there is no counterpart in Windows profile
wireless security dot1x group-key interval 54000
!
// Number of retries to ask for Identity to the client once RADIUS server has initiated the authentication
wireless security dot1x identity-request retries 2
!
// Period in seconds when the WLAN infrastructure expires an ongoing authentication so to retry
wireless security dot1x identity-request timeout 30
!
// Number of retries before the WLAN infrastructure expire an ongoing authentication process so the client device starts a new one upon restoring connectivity
wireless security dot1x request retries 2
!
// Period in seconds when the WLAN infrastructure expires an ongoing authentication so the client needs to restart with full authentication
wireless security dot1x request timeout 30
!
// Period in seconds when the current session is removed from the WLAN infrastructure and triggers a new full authentication in the client device. Ideally this setting should match at both ends to avoid any part from expiring the current session.
session-timeout 54000
!
// Period in seconds that a client is held into the exclusion list due to credential failure (this could be due to expired certificate, or new device not provisioned yet, lack of certificate or not registered in the AD)
exclusionlist timeout 180
!

COUNTERPART IN WINDOWS (to be modified through GPO, or manual settings the WLAN profile):

// Advanced Settings:
Max Eapol-Start Msgs = 2 ==> This values matches WLAN infra eapol-key retries
Held Period (seconds) = 180 ==> This values matches WLAN infra exclusionlist timeout
Start Period (seconds) = 1 ==> This values matches WLAN infra eapol-key timeout
Auth Period (seconds) = 30 ==> This values matches WLAN infra request timeout
!
// Fast Roaming Settings:
Enable Pairwise Master Key (PMK) Caching = Enabled
PMK time to Live (Minutes) = 900 ==> This values matches WLAN infra session-timeout of 54000 secs
Number of Entries in PMK Cache = 128
This network uses pre-authentication = Disabled
!

t3rebello · ‎08-02-2023

The command wireless security dot1x group-key interval 54000 went through with no issues, but I do not seem to have a session-timeout 54000 command I can enter on my 9800. I am interested in getting my settings aligned to what you mentioned for session-timeout and fast roaming.

Where do you apply that config?

Edit: I have figured out the answer to my own question. The setting is applied to the wireless profile policy. For example,

wireless profile policy [profile name]
session-timeout 54000