PEAP Session Timeout Implications

c.fuller · ‎03-09-2005

Right now I have my PEAP Session Timeout set for 120 minutes on the ACS. It is my understanding

that this is the length of time the client credentials are stored in the WDS cache. So during

this time the client should never have to talk to the ACS for re-authentication (in case of power

cycle, L2 roam, etc...) Is this correct?

1) Why then do I see authentications show up in the ACS log each time I reboot a client? Shouldn't

it only be talking with the WDS AP for this two hour time period?

2) If a client is logged in and authenticated, but just sitting there not being used, then the 2

hour window expires, what happens to the client? Does it stay on the network? Does it reauthenticate

next time a user starts using it? Does it lose its network connectivity all together?

3) Is there a way to disable the PEAP session timeout so sessions never timeout. I am trying to

figure out a way to allow clients that are just sitting there not to get bounced off the network?

If I did this would that mean the WDS cache would never expire either?

wong34539 · ‎03-15-2005

There are 2 session timeout periods. One is the RADIUS session timeout attribute which is probably set to 600

seconds. This is the reKey interval in which the AP force the client to re-authenticate to be able to get new WEP keys.

The second one is PEAP session timeout (default is 120 min). In this period if user authenticate again (because RADIUS session timeout is over or roaming to other AP) and fast reconnect is enabled only first phase of PEAP is done.

So when the RADIUS timeout is over (or roaming to other AP) the user is required to re-authenticate. If (the PEAP session timeout is not reached yet & fast reconnect is enabled in both the client and server) Only first phase is done. Else full PEAP is done.