09-03-2013 10:24 PM - edited 07-04-2021 12:45 AM
Hello,
We are using web-auth with a Radius server.
We need to increase the Session timeout to 30 days so that the clients need to re-authenticate after 30 days.
The maximum on our WLC 5500 is 65535 seconds (=18 hours).
How can we extend it to 30 days?
Thank you!
Val
09-04-2013 12:14 AM
Hello ,
You can assign a value only between 300 and 86400 seconds to specify the duration of the client session.
09-04-2013 07:30 AM
We are running version 7.5.102.0
Under WLANs tab, under a specific SSID, under Advanced, the actual maximum time under 'Enable Session Timeout' is 65535 seconds (which is 18 hours).
09-04-2013 04:33 AM
You can also v7.5 which has the sleep client feature. This allows you to have a client stay logged in for up to 720 hours or 30 days. This would be located in the WLAN under the advanced tab.
Sent from Cisco Technical Support iPhone App
09-04-2013 04:50 AM
Maybe I'm missing something.. Why so long ? Session timeout starts when a client connects. Once they disconnect and reconnect the session timer starts over. Do you expect clients to stay attached for 30 days without disconnecting. The main reason for session timeout is to rekey or break users off the guest and have them reauth. But again, session starts when the client connects ..
Sent from Cisco Technical Support iPad App
09-04-2013 07:34 AM
Thank you Scott!
We are running version 7.5.102.0
I couldn't find that sleep client feature under Advanced tab of a particular SSID, what is exactly called?
Like George says, we basically want to authenticate users one time so they don't have to authenticate again in 30 days (to make it easier for them).
09-04-2013 07:36 AM
Hi Val,
Im afraid this isnt supported.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-04-2013 05:00 AM
Val,
Like George mentioned, session timer is for the overall session. You need to understand what each timer does, the session timer, the idle timer and sleeping client, if you are on v7.5.
Sent from Cisco Technical Support iPhone App
09-04-2013 05:14 AM
Val exactly what are you trying to achieve. My guess and it's only a guess is that you want to have a guest login one time and not have to login again for 30 days ? If my guess is right and if this is what you are trying to do. It's not supported ..
Sent from Cisco Technical Support iPad App
09-04-2013 07:37 AM
Thank you George!
Your guess was right, we want to make it easier for our users. These are not guest users, but registered students/staff.
Basically they autheticate via a Radius server which passes on authetication to our AD\domain users.
What options do we have?
09-04-2013 07:44 AM
I would remove the web-auth. You mentioned this in your first post. Web-auth means there is some interaction with a web screen. This is normally used for guest.
Create a simple WLAN and use EAP. Thats really it.. On the client side when you configure the supplicant, check box automatically connect (Windows). Or on a iDevice make sure "ask to join networks" is off.
Make sense?
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-04-2013 09:33 AM
Ok, so we can configure EAP instead with a LDAP authentication back-end.
But how would the client be forced to re-authenticate every 30 days in that case?
09-04-2013 09:37 AM
Well EAP is specific to radius. What are you using for radius today ?
As for re-auth. Each time the user enters the network the device will reauth automatically. It has to reauth each time. There is no way around that. But since your profile is built the user wont have to intervene.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
09-04-2013 09:41 AM
We use Microsoft's Netowrk Policy Server (NPS version 6) as a Radius server.
Can we not eliminate the Radius server and use an LDAP authentication directly?
09-04-2013 09:50 AM
While you can with local EAP on the controller there are limitations.
See this link
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#deta
Sounds like we have 2 items of interest. Radius and your 30 day auth.
Lets put the 30 day auth to rest. Each and everytime you come onto the network you have to auth. There is no way around this. If you configure a wireless client supplicant you can have this auto connect for the user.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide