Re: Cisco 9800 Web Admin/GUI Session Timeout

Skjoedt · ‎09-27-2023

Hello

Does anybody know of a way to extend the Web Admin/GUI Session Timeout beyond 1200 sec. (20 min.) on a Cisco 9800 Wireless Controller?

The customer also has Cisco ISE and uses TACACS, but setting the timeout and idle timeout values in the TACACS profile has not helped with the issue.

Best Regards
Frederik

marce1000 · ‎09-27-2023

- According to : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/wireless-web-authentication.html you can't :
>...Configuring the HTTP/HTTPS Server (GUI)
>...

Step 8

Enter the number of minutes of inactivity allowed before the session times out. Valid values can range from 180 to 1200 seconds.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

balaji.bandi · ‎09-27-2023

Web Admin/GUI Session Timeout beyond 1200 sec. (20 min.) on a Cisco 9800 Wireless Controller?

This kicks in inactivity allowed before the session times out, for security reason this is reasonable if none of work doing 20minutes.

May be if your customer looking more time then - cisco wish list.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

marce1000 · ‎09-27-2023

- Actually what you may try is this in the vty part of the running config :
line vty 0 4
exec-timeout 0 0
Check if that makes a difference

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Skjoedt · ‎09-27-2023

Hello marce1000

Thank you, i have tried to configure this and will let the customer test, however i doubt this will affect the GUI, since vty should only be for CLI purposes...

I will get back with the results...

marce1000 · ‎09-27-2023

-Negative , the GUI also uses 'vty slots' on the 9800.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Skjoedt · ‎09-27-2023

Hello marce1000

Ahh ok, interesting!

I will have the customer test and get back to you

Best Regards

Skjoedt · ‎09-29-2023

Hello marce1000

The customer has now tested and reported that he is still connected after 40min...
However, when i test the same with my own 9800-CL at home, i am not able to hold the session even though i have configured the same...

I logged in at 13:00 and at 13:55 i tried browsing from a configuration page to the dashboard and i got a message that my session had timed out...

9800-CL#sh run | s line
line con 0
stopbits 1
line vty 0 4
exec-timeout 60 0
authorization exec VTY-AuthZ
login authentication VTY-AuthC
length 0
transport input ssh
line vty 5 15
exec-timeout 60 0
authorization exec VTY-AuthZ
login authentication VTY-AuthC
transport input ssh
9800-CL#

Best Regards
Frederik

marce1000 · ‎09-29-2023

- Leaving the output of show users 'in the middle' ; for me on my test cloud controller in eve-ng it works too (not being logged out from the GUI) ; perhaps there is a version difference between your cloud's controller version and IOS-XE version that the customer is using : let's say -> as long as the customer is happy! (smile)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Skjoedt · ‎09-29-2023

Hello marce1000

That is true, i am on 17.6.5, while the customer is on 17.9.4.

I have enquired as to how the customer has tested to see if there is a difference in testing methodology

Best Regards
Frederik

Skjoedt · ‎09-29-2023

Hello marce1000

Also, when i am logged on to CLI with SSH and do a "show users" i see 1 user.
After i have logged on to the Web GUI, i do not see 2 users when doing a "show users".
- I still only see one user...

Best Regards
Frederik

marce1000 · ‎09-29-2023

@Skjoedt FYI (on VTY) : https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#WebuserinterfaceWebUI

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Skjoedt · ‎09-29-2023

Hello marce1000

Nice, i have not seen that section of the best practices guide!
Thank you for linking it to me!

I will go through it, test/revise and get back to you

Best Regards
Frederik

Skjoedt · ‎09-29-2023

Hello marce1000

UPDATE!
It seems to work perfectly for the SSH session though, i got a message in my putty session that i had been disconnected/timed out at exactly 15:45 after my last action was to "write memory" at 14:45
UPDATE!

Hmm... Setting the Exec timeout to 60min on VTY line 0 to 50 and at the same time disabling the Dashboard Session timeout did not work for me on my 9800-CL at home...
I logged in at 14:45 and at 15:38 i tried to browse from the Administration -> Management -> HTTP/HTTPS/Netconf/VTY page to the dashboard and i had to login again...

It seems that the only way is to disable Dashboard Session timeout and then leave your session idling on the dashboard in order to have it refresh every 30sec and keep the session alive...

Best Regards
Frederik

Scott Fella · ‎09-29-2023

I will be honest, I have never been able to match the timeouts with ssh. Seems like a good feature to at least specify for http/https connection. Usually is either you enable session timeout or disable it for the dashboard.

-Scott
*** Please rate helpful posts ***