Sleeping Client - Users being asked to re-authenticate

DanielMellors3418 · ‎10-13-2022

Hi all,

We have recently setup a new Guest FlexConnect SSID which utilises Layer 3 Web Auth as its security mechanism (Authentication). Users are authenticated via their active directory credentials via LDAPS.

Management want the users to only have to re-authenticate every 30 days so I have enabled the "Sleeping Client" on the WLAN feature and set the timeout to the maximum of 43200 minutes (30 days).

I can see the sleeping clients being registered on the WLC and for me personally it seems to work fine (with an iPhone) in that I have not had to reauthenticate in over a week so far.

We have however had a few reports from users who state they are being disconnected and having to re-authenticate several times a day to the guest portal with their credentials to get back on the Wi-Fi.

Having a read around I can see some people recommended tweaking the “Session Timeout“ and “Client idle Timeout” values in the advanced settings of the WLAN such that “Session Timeout” value is greater than the “Client Idle Timeout” value. By default though these two settings do not seem to be enabled/ticked, are they actually a requirement and should I enable them or is just enabling the "Sleeping Client" option sufficient.

If there is anything else you can think of that may be of use or that I may have missed I’d appreciate the feedback.

For info we are using the below hardware/software in our deployment:

WLC Cisco 5520

WLC Software Version 8.5.160.0

AP Model: Cisco AIR-AP2802I-E-K9

Cisco AP Software, ap3g3-k9w8 Version: 8.5.160.0

Regards

Dan

Arshad Safrulla · ‎10-13-2022

Appreciate more info here such as Secuirty used for WLAN, CWA/LWA etc. I would first make sure that these clients who reported the issue doesn't have MAC randomization enabled. MAC randomization behavior differs from client to client. So make sure that you read about it as well. If the client is presenting a different MAC address each time it's connecting to this SSID, then this is expected.

Session timeout - Maximum possible value (0 or 65535) impact differs based on the security type used for SSID
user idle timeout - 3600 (If it's a busy network lower value is recommended, higher the value will start causing issues in a busy environment)
Sleeping client - Once the user completes the web auth how long controller has to remember the client. Sleeping client doesn't work for CWA. It only works for LWA.

Read about what timeout does and how it works - https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_01001001.pdf

The sleeping timer becomes effective after the idle timeout. If using the Sleeping Client feature for Web Authentication, ensure that your idle timeout is lower than the session timeout, to prevent incorrect client deletion.

Also it must be noted that increasing this value may bring security complications as your network will become vulnerable to MAC spoofing. So it is better that you lower the value as recommended by your security team or their policies.

Consider running the Cisco TAC recommended image on the WLC. https://www.cisco.com/c/en/us/support/docs/wireless/wireless-lan-controller-software/200046-tac-recommended-aireos.html

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

DanielMellors3418 · ‎10-14-2022

Hi Arshad, Thanks you for your reply and the links you have provided.

In terms of the security on the WLAN is question it is an open network at layer 2 and at layer 3 it is set to use web authentication (Web Policy > Authentication). The clients are authenticating against our internal LDAP servers with their existing credentials (so we are not using a captive portal to create user accounts for guests). The authentication method within the AAA servers section is set to LDAP only.

I did consider the MAC randomization feature, but as you say this may well differ between devices. When I use my iPhone to test it creates a unique MAC address per SSID and will retain this (though I do believe in earlier beta versions of iOS when this was introduced the setting was more aggressive and did randomize the MAC on an regular basis, I guess they compromised.) My colleague has also checked with his android device and certainly with the code version he runs it tends to follow the behaviour of my iPhone in that it generates a static random MAC per SSID. This is something we can test though I guess for clients having issues as it will be apparent on the WLC if their MAC address changes.

On checking the timers for session and client idle timeout on the WLC CLI (as they are not ticked/enabled in the GUI under the WLAN advanced settings), I have the below values set:

Session Timeout.................................. 86400 seconds (24 hours)

User Idle Timeout................................ Disabled

Sleep Client..................................... enable

Sleep Client Timeout............................. 43200 minutes (30 days)

The sleeps Client timeout I have set to the max (30 days) and it is enabled as per above.

I assume the sessions/idle timers above are the default settings given I have not enabled them, my question would be do I actually need to do so or is just enabling the sleeping client feature sufficient? Within the link you provided there is also the below note which to me suggest these settings are currently not in use as we are using LDAP authentication.

If you configure a session-timeout of 0, it means 86400 seconds for 802.1X (EAP), and it disables the session-timeout for all other security types.

Upgrading to the latest code is also something we will be looking to do, I just want to rule out any potential configuration issues before going that route.

Thanks again for your feedback and any subsequent responses, much appreciated.

Regards

Dan