This document provides the steps required in order for the Web-auth Service Set Identifier (SSID) to allow a VPN user access without full authentication and without a disconnection every few minutes. In order to achieve this, a user must increase the Web-authentication (Web-auth) timeout on the Wireless LAN Controller (WLC).
In many customer network setups, there are settings that allow a group of company users or guests VPN access to certain IP addresses without the requirement to pass Web-auth security. These users receive an IP adddress and connect directly to the VPN without the need for any credentials in order to get authenticated via Web-auth security. This SSID might be in use by another set of users who also go through normal and full Web-auth in order to gain Internet access. This scenario is possible via a pre-authentication ACL configured on the SSID that allows user connections to VPN IP addresses before they pass authentication. The problem for these VPN users is that they pick the IP address but never finish the complete Web-auth. Therefore, the Web-auth timeout timer is activated and the client is deauthenticated:

*apfReceiveTask: Sep 03 12:01:55.694: 00:24:d7:cd:ac:30 172.30.0.118 WEBAUTH_REQD (8)
 Web-Auth Policy timeout

*apfReceiveTask: Sep 03 12:01:55.694: 00:24:d7:cd:ac:30 172.30.0.118 WEBAUTH_REQD (8)
 Pem timed out, Try to delete client in 10 secs.
The value of this timeout is 5 minutes and has a fixed value in WLC versions earlier than 7.6. This short timeout duration causes the wireless network to be nearly unusable for these kinds of users. The capability to change this value is added in WLC Version 8.0 which allows users to access the VPN via pre-auth ACL-allowed traffic.