09-27-2023 02:35 AM
Hello
Does anybody know of a way to extend the Web Admin/GUI Session Timeout beyond 1200 sec. (20 min.) on a Cisco 9800 Wireless Controller?
The customer also has Cisco ISE and uses TACACS, but setting the timeout and idle timeout values in the TACACS profile has not helped with the issue.
Best Regards
Frederik
09-27-2023 03:05 AM
- According to : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/wireless-web-authentication.html you can't :
>...Configuring the HTTP/HTTPS Server (GUI)
>...
Step 8 |
Enter the number of minutes of inactivity allowed before the session times out. Valid values can range from 180 to 1200 seconds. |
M.
09-27-2023 03:24 AM
Web Admin/GUI Session Timeout beyond 1200 sec. (20 min.) on a Cisco 9800 Wireless Controller?
This kicks in inactivity allowed before the session times out, for security reason this is reasonable if none of work doing 20minutes.
May be if your customer looking more time then - cisco wish list.
09-27-2023 03:27 AM
- Actually what you may try is this in the vty part of the running config :
line vty 0 4
exec-timeout 0 0
Check if that makes a difference
M.
09-27-2023 05:12 AM
Hello marce1000
Thank you, i have tried to configure this and will let the customer test, however i doubt this will affect the GUI, since vty should only be for CLI purposes...
I will get back with the results...
09-27-2023 05:50 AM
09-27-2023 07:23 AM
Hello marce1000
Ahh ok, interesting!
I will have the customer test and get back to you
Best Regards
09-29-2023 05:02 AM
Hello marce1000
The customer has now tested and reported that he is still connected after 40min...
However, when i test the same with my own 9800-CL at home, i am not able to hold the session even though i have configured the same...
I logged in at 13:00 and at 13:55 i tried browsing from a configuration page to the dashboard and i got a message that my session had timed out...
9800-CL#sh run | s line
line con 0
stopbits 1
line vty 0 4
exec-timeout 60 0
authorization exec VTY-AuthZ
login authentication VTY-AuthC
length 0
transport input ssh
line vty 5 15
exec-timeout 60 0
authorization exec VTY-AuthZ
login authentication VTY-AuthC
transport input ssh
9800-CL#
Best Regards
Frederik
09-29-2023 05:22 AM
- Leaving the output of show users 'in the middle' ; for me on my test cloud controller in eve-ng it works too (not being logged out from the GUI) ; perhaps there is a version difference between your cloud's controller version and IOS-XE version that the customer is using : let's say -> as long as the customer is happy! (smile)
M.
09-29-2023 05:37 AM
Hello marce1000
That is true, i am on 17.6.5, while the customer is on 17.9.4.
I have enquired as to how the customer has tested to see if there is a difference in testing methodology
Best Regards
Frederik
09-29-2023 05:08 AM
Hello marce1000
Also, when i am logged on to CLI with SSH and do a "show users" i see 1 user.
After i have logged on to the Web GUI, i do not see 2 users when doing a "show users".
- I still only see one user...
Best Regards
Frederik
09-29-2023 05:37 AM
@Skjoedt FYI (on VTY) : https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#WebuserinterfaceWebUI
M.
09-29-2023 05:41 AM
Hello marce1000
Nice, i have not seen that section of the best practices guide!
Thank you for linking it to me!
I will go through it, test/revise and get back to you
Best Regards
Frederik
09-29-2023 06:42 AM - edited 09-29-2023 06:48 AM
Hello marce1000
UPDATE!
It seems to work perfectly for the SSH session though, i got a message in my putty session that i had been disconnected/timed out at exactly 15:45 after my last action was to "write memory" at 14:45
UPDATE!
Hmm... Setting the Exec timeout to 60min on VTY line 0 to 50 and at the same time disabling the Dashboard Session timeout did not work for me on my 9800-CL at home...
I logged in at 14:45 and at 15:38 i tried to browse from the Administration -> Management -> HTTP/HTTPS/Netconf/VTY page to the dashboard and i had to login again...
It seems that the only way is to disable Dashboard Session timeout and then leave your session idling on the dashboard in order to have it refresh every 30sec and keep the session alive...
Best Regards
Frederik
09-29-2023 07:07 AM
I will be honest, I have never been able to match the timeouts with ssh. Seems like a good feature to at least specify for http/https connection. Usually is either you enable session timeout or disable it for the dashboard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide