01-20-2023 10:36 PM
I'm a bit stuck with my Radius setup, or to be more precise, devices being re-authenticated every couple of minutes while using a WiFi web policy.
First, few words on setup and more details are shown within attached photos.
I'm running Windows Server 2016 with AD and NPS roles. There are users and a group of users created for Radius purposes, network policy is added to grant an access for the group of users and according to Radius server logs, there are no issue there, users are granted access upon request from WLC (photo attached), hence I'm not focused on troubleshooting Radius server setup, considering that part of setup is OK.
Cisco WLC, model 9800-L-F-K9, version 17.3.5b.
There are 116 APs and in general, we have no issues with our WiFi network(s).
Recently, Radius server has been added, AAA authentication created for login type and web authentication parameter configured.
Web policy enabled for the Visitor WLAN and it's all working just fine, smooth. Once users connect to Visitor WiFi, there is a pop-up window requesting credentials and if correct credentials (AD user) are entered, WiFi is ON, working.
Issue I'm having is following.
If users leave their device inactive for some time, or even if they lock their device (any device, iPhone, Android, Microsoft workstation, etc.), device disconnects from WiFi and as soon as user is about to use a device again, authentication pop-up window appears. This is very annoying since users are requested to login dozens of times a day and I had to disable web policy on the Visitor WiFi until I find a solution. If web policy is disabled, WiFi is working fine, no issues.
I've attached a photo where my device was authenticated 4 times in 10 minutes. There are no other WLC logs rather than those ones on the attached photo.
I was focused on session and idle timeout settings for Visitor WiFi, but regardless what settings I configure, there are no changes in devices behavior. I've checked WLC logs and Radius logs, and I can't find a reason for device disconnecting, there's nothing there which would point to the reason of device being re-authenticated to connect to WiFi with Radius web policy enabled.
Is there anyone who had a similar issue or someone who's very familiar with Radius and WLC setup to assist.
01-20-2023 11:22 PM
- Review the current 9800-L-F configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/
01-21-2023 09:24 AM
- Take the advice from this bug report : https://bst.cisco.com/bugsearch/bug/CSCvs73917 , probably not exactly what you are seeing , but check if it could help ,
01-21-2023 08:19 PM
Hi @marce1000 , thank you for your time, effort and good advices.
I had WLC output analyzed, and there are no errors, certain number of warnings only, where none relate explains this behavior.
CSCvs73917 bug I've found earlier and I've changed a value to 1 day, but unfortunately this doesn't fix my issue.
I'll try to upgrade WLC to 17.6.4 and see if that helps, but I'm not holding my breath.
01-22-2023 12:05 AM
- Could you also try to increase the Idle Timeout in the applied Policy Profile (for the WLAN) , available on the Advanced tab ,
01-24-2023 07:41 PM
Hi @marce1000 ,
I've tried that one, no progress.
Upgrading WLC from 17.3.5b to 17.3.6 and finally to 17.6.04, gave no results. I've tried everything I could find online, "playing" with different setting on WLC, but I just can't get this to work.
01-25-2023 12:20 AM
- You may want to do client debugging , checkout : https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3013.pdf , look for RA Traces , also checkout the commands below especially for instance in the time window that you expect that a client will need to be authenticated again and or verify command(s) output before and after re-authentication(s) :
show wireless stats client delete reasons
show wireless client history disconnected summary
show wireless stats client detail
show wireless client summary
02-04-2023 05:50 AM - edited 02-04-2023 05:52 AM
While checking different settings and setup, I've noticed this detail on the AP setup.
I can't find a way to configure this (my guess is, this has to be configured on the WLC). There is no option in WLC web GUI to configure Session timeout. All options I've found are within Policy settings affecting WLAN session timeout or idle timeout, which I've set to max value, but AP session timeout is showing value 300 and I can't find where I can change this setting.
Also, I'm not sure if this session timeout is related to APs' session with WLC or clients' session with AP...
02-04-2023 06:50 AM
>..... There is no option in WLC web GUI to configure Session timeout.
Go to Edit Policy Profile -> Advanced
02-04-2023 07:18 AM
I don't believe that's configurable and you shouldn't be fiddling with that setting unless Cisco TAC advise you to.
It's got nothing to do with client sessions. The AP exchanges updates with the WLC all the time so there is no reason why you would ever want a timeout longer than 5 minutes!
02-06-2023 07:19 PM
How can I check client debugs and radius packet captures to see what's happening?
Since devices lose WiFi connection after random interval (sometimes 30 seconds, sometimes 132s, etc), it's definitely not a timer setting but something else. And I might be wrong, but I'm excluding Radius settings as a possible cause since authentication is going smooth, no timeouts are set on Radius server (NPS) and all logs I can find on Radius are only showing successful user login.
02-06-2023 07:59 PM
02-06-2023 10:11 PM
Hi @Scott Fella ,
Thank you for your reply. I've tried changing idle and session timeouts and it didn't help.
02-07-2023 06:46 AM
There is a feature for sleeping clients. This feature prevents webauth clients from having to re-authenticate when the idle timer expires. That is what you need to change. You most likely want to set this high to like 12 hours or more. Expect that the clients will have to re-authenticate if this expires or the session time expires.
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.2.x - Central Web Authentication [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco
02-06-2023 11:05 PM
>.... How can I check client debugs and radius packet captures to see what's happening
You can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: