09-30-2024 02:12 AM - edited 09-30-2024 02:13 AM
Hello all,
I have an issue where wireless users that are connecting to the guest wireless network by entering their credentials through the guest portal are losing connectivity at random intervals(usually within 1 minute of connecting).
From the user side it looks fine the 1st time they enter their credentials in the portal but at a random time the machine loses connectivity and to restore it usually user needs to re-enter their credentials but the problem persists and they have to re-enter their credentails again. This behaviour continues in a loop and effectively the user cannot work on the network.
On the event log on the WLC I see the following events on the client event log(in attachment).
Info on the devices:
WLC 3504, version 8.10.190.0
APs - mostly 2702 APs with several 1832 and 1702 APs
For RADIUS we use Cisco ISE, version 3.2.0.542, patch 5
10-01-2024 11:31 PM - edited 10-01-2024 11:53 PM
I managed to upgrade the WLC to the latest recommended version but the situation remains unchanged. The guest clients keep de-authenticating within 10-20 seconds of authorizing on the network.
The users remain connected to the network but need to re-enter their credentials.
10-03-2024 08:50 AM
debug client <mac address>
Share this for any client loss connection
MHM
10-04-2024 06:31 AM
1. Have you checked your WLC config using the Config Analyzer (link below)?
2. Do you have CoA enabled and working on the WLC so that ISE can send CoA to the WLC? Are your firewalls and ACLs allowing the CoA to reach the WLC?
10-04-2024 07:10 AM - edited 10-04-2024 07:11 AM
I have done the debug for one client and I think that I'm either hitting the bug CSCwa20143 or there is some weird interection between ISE and WLC for client timeout.
After removing session timeout on the WLC(was set to 28800s) the client connection is stable.
Altough I would like to keep the session timeout as a security measure as this is a guest network.
The logs from the WLC are attached.
10-04-2024 08:01 AM
Interesting - don't think I'd seen that bug before.
And thinking about it we might have seen something similar to this before too, a while back, and couldn't explain it.
Next week I'll have a closer look at the one where we had the issue reported.
10-09-2024 05:50 AM - edited 10-09-2024 05:52 AM
Just an update as I have been fiddling with this on both ISE and WLC.
It seems that the main problem is the mismatch between ISE and WLC regarding Reauthentication timers. Before I had this set only on the WLC to 28800s but after looking at the debug you could see that the ISE was sending value of 65k.
After setting the Reauthentication timer on the ISE authorization profiles to the WLC value the problem was gone and the whole thing behaved as expected.
It really looks like that the timers on the new versions of ISE and WLC must now match(or be off on the WLC) for this to work properly.
If I manage I will test with different values on ISE and WLC to see if there are any combos that will work if the values are different.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide