Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1777
Views
2
Helpful
19
Replies

Reauthentication with C9800 Web Authentication

jewfcb001
Level 4
Level 4

‎08-09-2024 01:48 AM

Hi All ,

I would like to know behavior of WLC C9800 with Web Authentication . 
Incase If Client connect to SSID: Web_Authen and authentication success and disconnect this ssid and connect SSID Web_Authen again Client need to reauthenticate or not ? Because I try to simulate test client need to new authentication every time. 

 

Thank you .

 

1 person had this problem
0 Helpful
19 Replies 19

MHM Cisco World
VIP
VIP

‎08-09-2024 01:59 AM

In wlc monitoring >client 

If the Mac of wifi client is disappear then wlc 9800 totally remove client session and hence when client reconnect it need reauthc

MHM

0 Helpful

jewfcb001
Level 4
Level 4
In response to MHM Cisco World

‎08-09-2024 02:41 AM

I observe with android device this device not reauthenticate. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to jewfcb001

‎08-09-2024 02:50 AM

Did you check monitor in wlc 

Can you see mac of wifi client 

MHM

0 Helpful

jewfcb001
Level 4
Level 4
In response to MHM Cisco World

‎08-12-2024 08:28 PM

@MHM Cisco World 
cannot see wifi client if client disassociate WLC (IOS Device)
but android client still see mac client after client disassociate WLC

0 Helpful

Rich R
VIP
VIP
In response to jewfcb001

‎08-12-2024 10:02 PM

As I explained above that's a difference in client behaviour.

If you want the returning client to be seamlessly re-authenticated then you need to use MAC auth (MAB) to log them back in without web auth.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213920-central-web-authentication-cwa-on-cata.html#toc-hId-1941470559

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

marce1000
Hall of Fame
Hall of Fame
In response to jewfcb001

‎08-09-2024 03:17 AM

 

    >....I observe with android device this device not reauthenticate. 
         Then 'take a diff' on what both clients do (or not) using  -   https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity , these debugs can be analyzed with Wireless Debug Analyzer

    Appendix :    Have a checkup of the 9800 WLC configuration with the CLI command show tech wireless and feed the output to : Wireless Config Analyzer
    (do not use a simple show tech as input for this procedure)
                       + Look at client stats from https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5
                                     (for insights on overall client behavior)

                            Check software version on the controller , go for 17.12.3, if applicable (advised)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

jewfcb001
Level 4
Level 4
In response to marce1000

‎08-12-2024 08:42 PM

@marce1000 
I try with c9800 version 17.14.01. I would like to know this scenario is nornal behavior or not ?

0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎08-09-2024 02:11 AM

 

        - This is normal , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jewfcb001
Level 4
Level 4
In response to marce1000

‎08-09-2024 02:40 AM - edited ‎08-09-2024 02:41 AM

@marce1000 
Thank you for response . But I observe with android device this device not reauthenticate.

Do you have solution for not reauthenticate?

0 Helpful

David Ritter
Level 4
Level 4
In response to marce1000

‎08-09-2024 07:21 AM

nice topic,  I have and EOC guest account where the participants what to link when they arrive and stay linked... rather than reauthenticating every so often.

Since open ssids get full fast, the session timeout is 30 minutes.  So I presume that be the ruling factor.  management wants to know if that 'timeout' is idle time or busy time.

0 Helpful

Rich R
VIP
VIP

‎08-11-2024 06:09 PM

Depends to some extent on the client's behaviour.  If the client de-authenticates then they are disconnected from WLC and will need to re-authenticate next time they connect.  If the client simply goes to sleep and doesn't de-authenticate then the timers come into play.  Session timeout is absolute. Idle timeout depends on inactivity.  If you want clients to be able to sleep and return without re-authenticating then consider using the Sleeping Client feature.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#SleepingClientfeature
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_vewlc_central_web_authentication.html#Cisco_Troubleshooting.dita_7e7b09b9-831c-4d6b-b573-d96bd4ba4a70

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

jewfcb001
Level 4
Level 4
In response to Rich R

‎08-12-2024 08:40 PM

@Rich R 
I try to enable sleeping Client but the client still re-authenticate . 

0 Helpful

Rich R
VIP
VIP
In response to jewfcb001

‎08-12-2024 10:06 PM

"Sleeping Client" will only work for an actual sleeping client.  As I explained if the client has actually de-authenticated then that is not a sleeping client.  You need to use MAC auth (MAC Authentication Bypass) to re-authenticate a returning client automatically.  Link to example provided in my other reply below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

jewfcb001
Level 4
Level 4
In response to Rich R

‎08-12-2024 10:14 PM

@Rich R 
as you mean . Web Authenticate not working with sleeping client and need to new authenticate ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card