cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1917
Views
30
Helpful
14
Replies

(Windows) Radius Server with WLC 9800-L-F. Re-authentication required,

AVITYA
Level 1
Level 1

Hi all,

I'm a bit stuck with my Radius setup, or to be more precise, devices being re-authenticated every couple of minutes while using a WiFi web policy.

First, few words on setup and more details are shown within attached photos.
I'm running Windows Server 2016 with AD and NPS roles. There are users and a group of users created for Radius purposes, network policy is added to grant an access for the group of users and according to Radius server logs, there are no issue there, users are granted access upon request from WLC (photo attached), hence I'm not focused on troubleshooting Radius server setup, considering that part of setup is OK.

Cisco WLC, model 9800-L-F-K9, version 17.3.5b.
There are 116 APs and in general, we have no issues with our WiFi network(s).
Recently, Radius server has been added, AAA authentication created for login type and web authentication parameter configured.
Web policy enabled for the Visitor WLAN and it's all working just fine, smooth. Once users connect to Visitor WiFi, there is a pop-up window requesting credentials and if correct credentials (AD user) are entered, WiFi is ON, working.

Issue I'm having is following.
If users leave their device inactive for some time, or even if they lock their device (any device, iPhone, Android, Microsoft workstation, etc.), device disconnects from WiFi and as soon as user is about to use a device again, authentication pop-up window appears. This is very annoying since users are requested to login dozens of times a day and I had to disable web policy on the Visitor WiFi until I find a solution. If web policy is disabled, WiFi is working fine, no issues.
I've attached a photo where my device was authenticated 4 times in 10 minutes. There are no other WLC logs rather than those ones on the attached photo.

I was focused on session and idle timeout settings for Visitor WiFi, but regardless what settings I configure, there are no changes in devices behavior. I've checked WLC logs and Radius logs, and I can't find a reason for device disconnecting, there's nothing there which would point to the reason of device being re-authenticated to connect to WiFi with Radius web policy enabled.

 Is there anyone who had a similar issue or someone who's very familiar with Radius and WLC setup to assist.

Much appreacited.
Thank you.
Kind regards
Petar

14 Replies 14

marce1000
VIP
VIP

 

 -  Review the current 9800-L-F  configuration with the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               Checkout all advisories!

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

marce1000
VIP
VIP

 

 - Take the advice from this bug report : https://bst.cisco.com/bugsearch/bug/CSCvs73917 , probably not exactly what you are seeing , but check if it could help , 

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

AVITYA
Level 1
Level 1

Hi @marce1000 , thank you for your time, effort and good advices.

I had WLC output analyzed, and there are no errors, certain number of warnings only, where none relate explains this behavior.
CSCvs73917 bug I've found earlier and I've changed a value to 1 day, but unfortunately this doesn't fix my issue.

I'll try to upgrade WLC to 17.6.4 and see if that helps, but I'm not holding my breath.

Thanks

 

 - Could you also try to increase the Idle Timeout in the applied Policy Profile (for the WLAN) , available on the Advanced tab , 

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Hi @marce1000 ,

I've tried that one, no progress.
Upgrading WLC from 17.3.5b to 17.3.6 and finally to 17.6.04, gave no results. I've tried everything I could find online, "playing" with different setting on WLC, but I just can't get this to work.

 

 - You may want to do client debugging , checkout : https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3013.pdf , look for RA Traces , also checkout the commands below especially for instance in the time window that you expect that a client will need to be authenticated again and or verify command(s) output before and after re-authentication(s)  :
               show wireless stats client delete reasons
               show wireless client history disconnected summary
               show wireless stats client detail
               show wireless client summary 

 M.
               
               
                         



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

AVITYA
Level 1
Level 1

While checking different settings and setup, I've noticed this detail on the AP setup. 
I can't find a way to configure this (my guess is, this has to be configured on the WLC). There is no option in WLC web GUI to configure Session timeout. All options I've found are within Policy settings affecting WLAN session timeout or idle timeout, which I've set to max value, but AP session timeout is showing value 300 and I can't find where I can change this setting.
Also, I'm not sure if this session timeout is related to APs' session with WLC or clients' session with AP...

 

   >..... There is no option in WLC web GUI to configure Session timeout. 
                        Go to Edit Policy Profile -> Advanced

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Rich R
VIP
VIP

I don't believe that's configurable and you shouldn't be fiddling with that setting unless Cisco TAC advise you to.

It's got nothing to do with client sessions.  The AP exchanges updates with the WLC all the time so there is no reason why you would ever want a timeout longer than 5 minutes!

AVITYA
Level 1
Level 1

Hi all,

How can I check client debugs and radius packet captures to see what's happening?

Since devices lose WiFi connection after random interval (sometimes 30 seconds, sometimes 132s, etc), it's definitely not a timer setting but something else. And I might be wrong, but I'm excluding Radius settings as a possible cause since authentication is going smooth, no timeouts are set on Radius server (NPS) and all logs I can find on Radius are only showing successful user login.

Thank you,
Kind regards.
Petar

The wlan has idle session and session timeouts. These can be adjusted to your environment. However, the typical default works. You can try to increase the session timeouts to one 86400 seconds and see if that helps but the client should be reauthenticate properly.
-Scott
*** Please rate helpful posts ***

Hi @Scott Fella ,
Thank you for your reply. I've tried changing idle and session timeouts and it didn't help. 

There is a feature for sleeping clients.  This feature prevents webauth clients from having to re-authenticate when the idle timer expires.  That is what you need to change.  You most likely want to set this high to like 12 hours or more.  Expect that the clients will have to re-authenticate if this expires or the session time expires.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.2.x - Central Web Authentication [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

-Scott
*** Please rate helpful posts ***

 

     >....  How can I check client debugs and radius packet captures to see what's happening
                https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
  You can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: