09-20-2012 11:41 AM - edited 07-03-2021 10:41 PM
We have one SSID using web-auth with ISE.
On WLC we configured idle timeout fot 2400 seconds and on wlan>advanced with 65535 seconds for session timeout. But we are having continuos deauthentication in about 10 minutes.
When we check WLC, our mac-address is deleted after about each 10 minutes
How Can I solved this issue?
09-20-2012 11:47 AM
Deauth can be caused by interference or even an issue with the client device. What devices are being affected? Is it everywhere or certain areas? What code and wlc an ap model do you have?
Sent from Cisco Technical Support iPhone App
09-20-2012 11:48 AM
Well I just noticed you have ISE.. What logs do you see in ISE.
Sent from Cisco Technical Support iPhone App
09-20-2012 12:10 PM
If I am connected on wlan and disable radio during 10 minutes (or go out Wi-Fi coverage area), when I enable the radio (or come back for Wi-Fi zone) I need reauthenticate
My customer would like to remain the connection during idle timeout (40 minutes).
Notebooks has this issue.
09-20-2012 04:23 PM
I have tested this in the past and I have never had to log back on as long as I was still under the idle timeout. I'm testing it right now and so far with the card disabled 1300 seconds and still in the RUN state.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-20-2012 04:28 PM
You know what you should do is create a test wlan that has webauth on the wlc. Have one of your devices join that ssid and then disable the adapter. See if the issue might be with the ISE or with the WLC.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
09-20-2012 07:38 PM
Well just to give you an update, i have my pc wlan card disabled for 3 hours and the client is still in the run state. So I would try to determine if the WLC or ISE is causing you the issue.
Sent from Cisco Technical Support iPad App
09-21-2012 07:23 AM
On this wlan we are using Web-Auth with WPA2 + PSK.
Software version 7.0.220
another ssid not have this problem.
debug client
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Key exchange done, data packets from mobile 00:1c:26:ac:d9:e5 should be forwarded shortly
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Sending EAPOL-Key Message to mobile 00:1c:26:ac:d9:e5
state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Updated broadcast key sent to mobile 00:1C:26:AC:D9:E5
*osapiBsnTimer: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 Retransmit 1 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 Retransmit 2 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Retransmit failure for EAPOL-Key M5 to mobile 00:1c:26:ac:d9:e5, retransmit count 3, mscb deauth count 0
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller 1x_ptsm.c:534)
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station: (callerId: 57) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Associated to Disassociated
*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller apf_ms.c:5101)
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsAssoStateDec
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5139) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Disassociated to Idle
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station: (callerId: 47) in 10 seconds
*osapiBsnTimer: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 10.166.66.248 RUN (20) Deleted mobile LWAPP rule on AP [40:f4:ec:4a:b0:f0]
Do you have any suggestion about log or debug ?
thanks a lot,
Murilo
09-21-2012 07:47 AM
Well didn't know you we're doing that also.. Since your doing PSK, that changes everything. You would have to go in the CLI of the wlc and change the key timeout.
The ability to configure the WPA-Handshake timeout through the WLCs was integrated in software release 4.2 and later. You do not need this option in earlier WLC software versions.
These commands can be used to change the WPA Handshake timeout:
config advanced eap eapol-key-timeout config advanced eap ?
eapol-key-timeout
Configures EAPOL-Key Timeout in seconds.
eapol-key-retries
Configures EAPOL-Key Max Retries.
identity-request-timeout
Configures EAP-Identity-Request Timeout in seconds.
identity-request-retries
Configures EAP-Identity-Request Max Retries.
key-index
Configure the key index used for
dynamic WEP(802.1x) unicast key (PTK).
max-login-ignore-identity-response
Configure to ignore the same username count
reaching max in the EAP identity response
request-timeout
Configures EAP-Request Timeout in seconds.
request-retries
Configures EAP-Request Max Retries.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide