06-02-2011 10:25 AM - edited 07-03-2021 08:16 PM
On our guest wireless, at times when a user shuts down their laptop
and powers back up they are not asked to re-authenticate.
The only security is a login and password then the user is tunneled
to our 440 in our DMZ then out the internet pipe.
My question is if the user shuts the laptop off then starts it back up
shouldn't they be prompted for the user login and password?
Solved! Go to Solution.
06-02-2011 11:18 AM
I assume you are talking about webauth.
You don't want your user to re-webauth every time they roam, right?
So when your client shuts down its laptop, unless it told the AP it was disassociating, then the WLC still think he is a connected client.
When they reboot and connect again, as far as we're concerned the client just "roamed" somewhere else.....
The bottom line is that the Idle Timeout is what cleans up an entry that is no longer associated. By default this is 5 minutes (TYPO earlier), so if you reboot in less than 5 minutes, you'll get connected and stay authenticated. At which point, the total session timeout is the next authentication period..
So long story short, if you want a reboot to cause clients to fully authenticate again with webauth, you're going to either find a way to tell the client to disassociate properly... or you're going to have to drop your idle timeout to a number that will expire while a client is rebooting....
Make sense?
06-02-2011 11:18 AM
I assume you are talking about webauth.
You don't want your user to re-webauth every time they roam, right?
So when your client shuts down its laptop, unless it told the AP it was disassociating, then the WLC still think he is a connected client.
When they reboot and connect again, as far as we're concerned the client just "roamed" somewhere else.....
The bottom line is that the Idle Timeout is what cleans up an entry that is no longer associated. By default this is 5 minutes (TYPO earlier), so if you reboot in less than 5 minutes, you'll get connected and stay authenticated. At which point, the total session timeout is the next authentication period..
So long story short, if you want a reboot to cause clients to fully authenticate again with webauth, you're going to either find a way to tell the client to disassociate properly... or you're going to have to drop your idle timeout to a number that will expire while a client is rebooting....
Make sense?
06-02-2011 11:27 AM
Thank You. That makes perfect sense.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide