Hi @Haydn Andrews 

How come idle-timeout cannot be set on a per user basis?  Does the WLC just ignore the AVP?

I have not had much joy with idle-timeout on WLC in general - perhaps my testing was skew, but I didn't see the session terminate when I had hit the threshold (min/max traffic).  Have you had any luck with it?

Hi @Arne Bier 

Is there an AVP called usertimeout?

Just saw that this is configurable per WLAN:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100110.html

The IETF attribute is called idle-timeout

https://tools.ietf.org/html/rfc2865#section-5.28

I am pretty sure that the WLC supports this - and when you check the client session details then it should have been overridden with the value sent in the Access-Accept.

Here the output from WLC. And it correctly recognizes AVPs:

*radiusTransportThread: Mar 27 15:09:02.272: Packet contains 2 AVPs:

*radiusTransportThread: Mar 27 15:09:02.272: AVP[01] Idle-Timeout.............................0x3b9aca14 (1000000020) (4 bytes)

*radiusTransportThread: Mar 27 15:09:02.272: AVP[02] Session-Timeout..........................0x3b9aca14 (1000000020) (4 bytes)

but the only option it overrides is sessionTimeout:

*apfReceiveTask: Mar 27 15:09:02.273: 1c:cd:e5:3b:0c:c8 Override values for station 1c:cd:e5:3b:0c:c8
source: 2, valid bits: 0x100
qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: 1000000020

WLC still uses global idleTimeout 300 seconds.

Hi, Haydn!

ver 8.3.102.0

This command is available, but I need to override it by AVP from radius.

(Cisco Controller) >config wlan usertimeout ?
<seconds> Client Idle timeout(in seconds) on this WLAN. Range 0,15-100000 secs. 0 to disable

>>> Interested to know the use case of why u need it different on a per user/user group.

I use open network with captive portal and wanted to use Radius to make client idle timeout infinite, so once identified on the portal clients will forever be authorized.

Something like sleeping client feature but it's also configured on the WLC per WLAN and can be maximum of 30 days.

We don't know what can be done with ISE 'cause we don't have it :) but our 3rd party portal do cache users for configurable time but this is not enough. Here is what's happening:

1. new user connect to open wifi network

2. user completes identification on the portal and by redirect to 1.1.1.1/login.html gets authorized on the network

3. after some network activity user disconnects

4. now he may come next day or in a month and connect to wifi network

5. when this happens controller does not have state for this client and forward request to portal just to press "go to internet" button, so by default without some additional user actions in the browser there will be no internet access.

It seems like I need to rethink about access to wifi network, because all those questions/problems comes from the willing to make one network for both guests and employees.