Clients that are not authenticated taking IP addresses--WLC 5508

adeasogwc · ‎02-22-2012

I work on a college campus that has thousands of students a day accessing our wireless network. We have broadcast SSID that the students use to connect to the internet. The students usually have more than one WiFi enable device on them and their laptops and phones both take an IP address, but they are only using the laptop to authenticate while the phone is associted, but not authenticated. In the meantime, I have several thousand IPs being used by their phones/iPods etc.

Is there a way to revoke the DHCP lease if the client does not authenticate within a specified time frame (i.e. 10 minutes)?

blakekrone · ‎02-22-2012

What type of security are you using on the WLAN? If it is web-auth then clients will always use up a DHCP address as they are technically authenticated in terms of wireless, but are being held at the captive portal.

adeasogwc · ‎02-22-2012

The settings are the WLAN are:

1. Layer 3 security: None

2. Web Policy

3. Authentication

Justin Kurynny · ‎02-23-2012

Andrew,

From the dhcp server's pov, an ip's availability is a function of when it was last leased or renewed. There's a timer on each lease, and the ip doesn't go back into the pool until the timer runs out.

Consider reducing your dhcp lease time to 30 min. Renewals will happen every 15 min and an address will re-enter the pool after the lease expires, ie., 30 mins for clients that associate on but don't authenticate.

I might suggest an even shorter lease, but you want to be careful not to overwhelm your dhcp server with frequent renewal requests. Most dhcp servers seem to poorly handle any kind of load beyond a few transactions per second.

A drawback to short leases on a weauth'd WLAN is that users may find themselves having to reauth a lot more throughout the day.

Alternatively, you can expand your pool scope size.

Justin

Sent from Cisco Technical Support iPhone App