cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1153
Views
9
Helpful
20
Replies

Clients losing connectivity to guest wireless network

igor.hamzic81
Level 1
Level 1

Hello all,

I have an issue where wireless users that are connecting to the guest wireless network by entering their credentials through the guest portal are losing connectivity at random intervals(usually within 1 minute of connecting).

From the user side it looks fine the 1st time they enter their credentials in the portal but at a random time the machine loses connectivity and to restore it usually user needs to re-enter their credentials but the problem persists and they have to re-enter their credentails again. This behaviour continues in a loop and effectively the user cannot work on the network.

On the event log on the WLC I see the following events on the client event log(in attachment).

Info on the devices:
WLC 3504, version 8.10.190.0
APs - mostly 2702 APs with several 1832 and 1702 APs
For RADIUS we use Cisco ISE, version 3.2.0.542, patch 5

20 Replies 20

igor.hamzic81
Level 1
Level 1

I managed to upgrade the WLC to the latest recommended version but the situation remains unchanged. The guest clients keep de-authenticating within 10-20 seconds of authorizing on the network.

The users remain connected to the network but need to re-enter their credentials.

debug client <mac address>

Share this for any client loss connection 

MHM

Rich R
VIP
VIP

1. Have you checked your WLC config using the Config Analyzer (link below)?

2. Do you have CoA enabled and working on the WLC so that ISE can send CoA to the WLC?  Are your firewalls and ACLs allowing the CoA to reach the WLC?

igor.hamzic81
Level 1
Level 1

I have done the debug for one client and I think that I'm either hitting the bug CSCwa20143 or there is some weird interection between ISE and WLC for client timeout.

After removing session timeout on the WLC(was set to 28800s) the client connection is stable.

Altough I would like to keep the session timeout as a security measure as this is a guest network.

The logs from the WLC are attached.

Interesting - don't think I'd seen that bug before.
And thinking about it we might have seen something similar to this before too, a while back, and couldn't explain it.
Next week I'll have a closer look at the one where we had the issue reported.

igor.hamzic81
Level 1
Level 1

Just an update as I have been fiddling with this on both ISE and WLC.

It seems that the main problem is the mismatch between ISE and WLC regarding Reauthentication timers. Before I had this set only on the WLC to 28800s but after looking at the debug you could see that the ISE was sending value of 65k.

After setting the Reauthentication timer on the ISE authorization profiles to the WLC value the problem was gone and the whole thing behaved as expected.

It really looks like that the timers on the new versions of ISE and WLC must now match(or be off on the WLC) for this to work properly.

If I manage I will test with different values on ISE and WLC to see if there are any combos that will work if the values are different.

Review Cisco Networking for a $25 gift card