Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1256
Views
0
Helpful
10
Replies

DHCP and web authentication

heboo4222
Level 1
Level 1

ā€Ž12-04-2012 09:59 PM - edited ā€Ž07-03-2021 11:10 PM

Hi

I have WLC 5508, Software Version  7.0.235.0, its integrated with LDAP for web authentication

The DHCP configured on the controller.

Problem: User  who have not been authenticated still consume IP from the pool , I need to release this ip after certain time . is it possible?

regards

Labels:
0 Helpful
10 Replies 10

George Stefanick
VIP Alumni
VIP Alumni

ā€Ž12-04-2012 10:04 PM

I always recommend avoiding the DHCP server on the WLC.

But, to anwser your question. You would need to make small lease times OR increase your scope size.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
ā€Ž"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

ā€Ž12-04-2012 10:04 PM

I noticed its your first post on CSC ... Welcome

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
ā€Ž"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

heboo4222
Level 1
Level 1
In response to George Stefanick

ā€Ž12-04-2012 10:25 PM

welcome George

thanks for your reply

Is not there similar  command for unauthenticated user ?

config wlan webauth-exclude 1 enable
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to heboo4222

ā€Ž12-04-2012 10:35 PM

I have to be honest I never seen this command before. But here is what I found ..

config wlan webauth-exclude wlan_id {enable | disable}

The default value is disabled. This command is applicable when you configure the internal DHCP scope on the controller. By default, when the web authentication timer expires for a guest user, the user can immediately reassociate to the same IP address before another guest user can acquire it. If there are many guest users or limited IP addresses in the DHCP pool, some guest users might not be able to acquire an IP address.

When you enable this feature on the guest WLAN, the guest user's IP address is released when the web authentication policy timer expires and the guest user is excluded from acquiring an IP address for 3 minutes. The IP address is available for another guest user to use. After 3 minutes, the excluded guest user can reassociate and acquire an IP address, if available.

Based on this it states when the policy expires. But your asking about unauthenticated users. Hummmmm

Not sure .. my hunch is no..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
ā€Ž"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

ā€Ž12-04-2012 10:39 PM

Well i guess it comes down to when does the policy expire. Does it start when you connect and get an IP or when you accept the guest page.

Have you tried this yourself yet ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
ā€Ž"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

heboo4222
Level 1
Level 1
In response to George Stefanick

ā€Ž12-04-2012 10:43 PM

as cisco documentation its start when accept the guest page .

i will try it .

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to heboo4222

ā€Ž12-04-2012 10:48 PM

stop back and let us know what you find ...

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
ā€Ž"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

heboo4222
Level 1
Level 1
In response to George Stefanick

ā€Ž12-05-2012 03:54 AM

After I configured this command

config wlan webauth-exclude 1 enable

I have two cases

1-     (( The client has been associated and not authenticated ))

after 5 minutes the client disassociated and his status (monitor/ clients ) is Excluded 

the ip  become free  and the client cannot associated again , afte 3 minutes he can associate and take new IP

2-    (( The client has been associated and  authenticated ))

           nothing happened

what he mean by  ((web authentication policy timer expires)) ?

i chang the session timers to infinite  or specific time  but same behavior.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

ā€Ž12-05-2012 05:01 AM

The only way around this issue is to in erase your subnet size and or try to lower your lease time like George mentioned. Since WebAuth is layer 3 authentication it requires clients to have an IP address. Your not the only one who has this issue, but it has been addressed in the two options mentioned. There is nothing on the wlc that you can do to release or prevent device that will jot be using the wireless to associate and get an ip. Many devices now auto join and that is the biggest issue. Hope this helps.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to Scott Fella

ā€Ž12-05-2012 08:54 AM

yea, you will need to either not broadcast the SSID thus hiding the network OR open up the scope OR limit the lease times. Or a combination of all the above.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
ā€Ž"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card