Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2089
Views
0
Helpful
8
Replies

web authentication timeout problem

mukka
Level 1
Level 1

‎09-20-2012 11:41 AM - edited ‎07-03-2021 10:41 PM

   We have one SSID using web-auth with ISE.

On WLC we configured idle timeout fot 2400 seconds and on wlan>advanced with 65535 seconds for session timeout. But we are having continuos deauthentication in about 10 minutes.


When we check WLC, our mac-address is deleted after about each 10 minutes

How Can I solved this issue?

Labels:
0 Helpful
8 Replies 8

Scott Fella
Hall of Fame
Hall of Fame

‎09-20-2012 11:47 AM

Deauth can be caused by interference or even an issue with the client device. What devices are being affected? Is it everywhere or certain areas? What code and wlc an ap model do you have?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎09-20-2012 11:48 AM

Well I just noticed you have ISE.. What logs do you see in ISE.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

mukka
Level 1
Level 1
In response to Scott Fella

‎09-20-2012 12:10 PM

If I am connected on wlan and disable radio during 10 minutes (or go out Wi-Fi coverage area), when I enable the radio (or come back for Wi-Fi zone) I need reauthenticate

My customer would like to remain the connection during idle timeout (40 minutes).
Notebooks has this issue.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to mukka

‎09-20-2012 04:23 PM

I have tested this in the past and I have never had to log back on as long as I was still under the idle timeout.  I'm testing it right now and so far with the card disabled 1300 seconds and still in the RUN state.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎09-20-2012 04:28 PM

You know what you should do is create a test wlan that has webauth on the wlc.  Have one of your devices join that ssid and then disable the adapter.  See if the issue might be with the ISE or with the WLC.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎09-20-2012 07:38 PM

Well just to give you an update, i have my pc wlan card disabled for 3 hours and the client is still in the run state. So I would try to determine if the WLC or ISE is causing you the issue.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
0 Helpful

mukka
Level 1
Level 1
In response to Scott Fella

‎09-21-2012 07:23 AM

On this wlan we are using Web-Auth with WPA2 + PSK.

Software version 7.0.220

another ssid not have this problem.

debug client

*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Key exchange done, data packets from mobile 00:1c:26:ac:d9:e5 should be forwarded shortly
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Sending EAPOL-Key Message to mobile 00:1c:26:ac:d9:e5
   state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Updated broadcast key sent to mobile 00:1C:26:AC:D9:E5
*osapiBsnTimer: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 Retransmit 1 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 Retransmit 2 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Retransmit failure for EAPOL-Key M5 to mobile 00:1c:26:ac:d9:e5, retransmit count 3, mscb deauth count 0
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller 1x_ptsm.c:534)
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 57) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Associated to Disassociated

*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller apf_ms.c:5101)
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsAssoStateDec
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5139) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Disassociated to Idle

*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 47) in 10 seconds
*osapiBsnTimer: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 10.166.66.248 RUN (20) Deleted mobile LWAPP rule on AP [40:f4:ec:4a:b0:f0]

Do you have any suggestion about log or debug ?

thanks a lot,

Murilo

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎09-21-2012 07:47 AM

Well didn't know you we're doing that also.. Since your doing PSK, that changes everything. You would have to go in the CLI of the wlc and change the key timeout.

The ability to configure the WPA-Handshake timeout through the WLCs was integrated in software release 4.2 and later. You do not need this option in earlier WLC software versions.

These commands can be used to change the WPA Handshake timeout:

config advanced eap eapol-key-timeout config advanced eap ?

eapol-key-timeout

Configures EAPOL-Key Timeout in seconds.

eapol-key-retries

Configures EAPOL-Key Max Retries.

identity-request-timeout

Configures EAP-Identity-Request Timeout in seconds.

identity-request-retries

Configures EAP-Identity-Request Max Retries.

key-index

Configure the key index used for

dynamic WEP(802.1x) unicast key (PTK).

max-login-ignore-identity-response

Configure to ignore the same username count

reaching max in the EAP identity response

request-timeout

Configures EAP-Request Timeout in seconds.

request-retries

Configures EAP-Request Max Retries.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card