07-10-2019 12:59 AM - edited 07-05-2021 10:41 AM
Hi,
I have some issue with the interface group setup.
Scenario :
Cisco WLC 5520 running 8.5.140 code.
15 interface in 1 interface group.
Open authentication SSID
Authentication in Firewall. Allowed 7 days for each client.
So, my question is, how do the WLC determine my VLAN is dirty and is there any ways to override this configuration so that my WLC will follow the firewall configuration which is 7 days for each client. Some of my client get the authentication page before 7days.
Thanks in advanced.
Solved! Go to Solution.
07-30-2019 08:02 PM
07-10-2019 01:59 AM - edited 07-10-2019 02:00 AM
are you using webauth on SSID ?
If yes then adjust the timeout on WLC including sleeping client feature.
Regards
Dont forget to rate helpful posts
07-10-2019 02:46 AM
No, im not using webauth. Im using open authentication,
07-12-2019 12:30 AM
When you say "VLAN is dirty", do you mean DHCP exhaustion? If so, then the answer is that the WLC listens for DHCP Replies and if none is received, then the WLC calculates a new hash value to select a different interface. Then same algorithm runs again.
07-12-2019 12:37 AM
Hi,
The client shouldn't be authenticate before 7 days because the mac address of the client is stored in firewall.
The only reason client get re-authenticate before 7 days is because the client is changing its IP address.
So, when the client get re-authenticate before 7 days, i check the WLC and it shows as below output.
(Cisco Controller) >show interface group detailed <int group>
Interface Group Name............................. <int group>
Quarantine ...................................... No
Number of Wlans using the Interface Group........ 2
Number of AP Groups using the Interface Group.... 122
Number of Interfaces Contained................... 16
mDNS Profile Name................................ Unconfigured
Failure-Detect Mode.............................. Aggressive
Interface Group Description......................
Interfaces Contained in this group ..............
pool 701
pool 702
pool 703
pool 704
pool 705
pool 706
pool 707
pool 708
pool 709
pool 710
pool 711
pool 712
pool 713
pool 714 *
pool 715
pool 716
Interface marked with * indicates DHCP dirty interface
Interface list sorted based on vlan:
Index Vlan Interface Name Dirty Failures DirtyTime(s)
----- ---- -------------------------------- ----- ------------- ---------
0 701 pool 701 No 0 0
1 702 pool 702 No 0 0
2 703 pool 703 No 0 0
3 704 pool 704 No 0 0
4 705 pool 705 No 0 0
5 706 pool 706 No 0 0
6 707 pool 707 No 0 0
7 708 pool 708 No 0 0
8 709 pool 709 No 0 0
9 710 pool 710 No 0 0
10 711 pool 711 No 0 0
11 712 pool 712 No 0 0
12 713 pool 713 No 0 0
13 714 pool 714 Yes 7 863
14 715 pool 715 No 0 0
15 716 pool 716 No 0 0
Is there any ways to turn this dirty interface off?
Thanks in advanced.
07-18-2019 08:50 AM
I think you´re misinterpreting concepts here. Dirty interface, as mentioned above, is an flap indicating that something is not good on the DHCP service. This can become Dirty because you DHCP scope is full, or the DHCP request send on that interface it not reaching the DHCP server. After some failing attempt in a specific interface, WLC mark that interface as Dirty and stop asking DHCP on that interface for a while. You can see a counter on the interface Dirty.
Re-Authentication and DHCP renew are different things. You can have a lease time let´s say of 5 minutes and a Session time out of 60 minutes. Which means, IP address will be renewed many times until the re-authentication take place.
You can configure Session timeout as 0 "zero" and then disable Session timeout.
Valid ranges to Session timeout are:
Configurable session timeout range is:
• 300-86400 for 802.1x.
• 0-65535 for all other security types.
If in your case you care using Open Authentication, you can use up to 65535 seconds which means 18 hours.
-If I helped you somehow, please, rate it as useful.-
07-30-2019 08:02 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide