(Windows) Radius Server with WLC 9800-L-F. Re-authentication required,

AVITYA · ‎01-20-2023

Hi all,

I'm a bit stuck with my Radius setup, or to be more precise, devices being re-authenticated every couple of minutes while using a WiFi web policy.

First, few words on setup and more details are shown within attached photos.
I'm running Windows Server 2016 with AD and NPS roles. There are users and a group of users created for Radius purposes, network policy is added to grant an access for the group of users and according to Radius server logs, there are no issue there, users are granted access upon request from WLC (photo attached), hence I'm not focused on troubleshooting Radius server setup, considering that part of setup is OK.

Cisco WLC, model 9800-L-F-K9, version 17.3.5b.
There are 116 APs and in general, we have no issues with our WiFi network(s).
Recently, Radius server has been added, AAA authentication created for login type and web authentication parameter configured.
Web policy enabled for the Visitor WLAN and it's all working just fine, smooth. Once users connect to Visitor WiFi, there is a pop-up window requesting credentials and if correct credentials (AD user) are entered, WiFi is ON, working.

Issue I'm having is following.
If users leave their device inactive for some time, or even if they lock their device (any device, iPhone, Android, Microsoft workstation, etc.), device disconnects from WiFi and as soon as user is about to use a device again, authentication pop-up window appears. This is very annoying since users are requested to login dozens of times a day and I had to disable web policy on the Visitor WiFi until I find a solution. If web policy is disabled, WiFi is working fine, no issues.
I've attached a photo where my device was authenticated 4 times in 10 minutes. There are no other WLC logs rather than those ones on the attached photo.

I was focused on session and idle timeout settings for Visitor WiFi, but regardless what settings I configure, there are no changes in devices behavior. I've checked WLC logs and Radius logs, and I can't find a reason for device disconnecting, there's nothing there which would point to the reason of device being re-authenticated to connect to WiFi with Radius web policy enabled.

Is there anyone who had a similar issue or someone who's very familiar with Radius and WLC setup to assist.

Much appreacited.
Thank you.
Kind regards
Petar

marce1000 · ‎01-20-2023

- Review the current 9800-L-F configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

marce1000 · ‎01-21-2023

- Take the advice from this bug report : https://bst.cisco.com/bugsearch/bug/CSCvs73917 , probably not exactly what you are seeing , but check if it could help ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AVITYA · ‎01-21-2023

Hi @marce1000 , thank you for your time, effort and good advices.

I had WLC output analyzed, and there are no errors, certain number of warnings only, where none relate explains this behavior.
CSCvs73917 bug I've found earlier and I've changed a value to 1 day, but unfortunately this doesn't fix my issue.

I'll try to upgrade WLC to 17.6.4 and see if that helps, but I'm not holding my breath.

Thanks

marce1000 · ‎01-22-2023

- Could you also try to increase the Idle Timeout in the applied Policy Profile (for the WLAN) , available on the Advanced tab ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AVITYA · ‎01-24-2023

Hi @marce1000 ,

I've tried that one, no progress.
Upgrading WLC from 17.3.5b to 17.3.6 and finally to 17.6.04, gave no results. I've tried everything I could find online, "playing" with different setting on WLC, but I just can't get this to work.

marce1000 · ‎01-25-2023

- You may want to do client debugging , checkout : https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3013.pdf , look for RA Traces , also checkout the commands below especially for instance in the time window that you expect that a client will need to be authenticated again and or verify command(s) output before and after re-authentication(s) :
show wireless stats client delete reasons
show wireless client history disconnected summary
show wireless stats client detail
show wireless client summary

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AVITYA · ‎02-04-2023

While checking different settings and setup, I've noticed this detail on the AP setup.
I can't find a way to configure this (my guess is, this has to be configured on the WLC). There is no option in WLC web GUI to configure Session timeout. All options I've found are within Policy settings affecting WLAN session timeout or idle timeout, which I've set to max value, but AP session timeout is showing value 300 and I can't find where I can change this setting.
Also, I'm not sure if this session timeout is related to APs' session with WLC or clients' session with AP...

marce1000 · ‎02-04-2023

>..... There is no option in WLC web GUI to configure Session timeout.
Go to Edit Policy Profile -> Advanced

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎02-04-2023

I don't believe that's configurable and you shouldn't be fiddling with that setting unless Cisco TAC advise you to.

It's got nothing to do with client sessions. The AP exchanges updates with the WLC all the time so there is no reason why you would ever want a timeout longer than 5 minutes!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

AVITYA · ‎02-06-2023

Hi all,

How can I check client debugs and radius packet captures to see what's happening?

Since devices lose WiFi connection after random interval (sometimes 30 seconds, sometimes 132s, etc), it's definitely not a timer setting but something else. And I might be wrong, but I'm excluding Radius settings as a possible cause since authentication is going smooth, no timeouts are set on Radius server (NPS) and all logs I can find on Radius are only showing successful user login.

Thank you,
Kind regards.
Petar

Scott Fella · ‎02-06-2023

The wlan has idle session and session timeouts. These can be adjusted to your environment. However, the typical default works. You can try to increase the session timeouts to one 86400 seconds and see if that helps but the client should be reauthenticate properly.

-Scott
*** Please rate helpful posts ***

AVITYA · ‎02-06-2023

Hi @Scott Fella ,
Thank you for your reply. I've tried changing idle and session timeouts and it didn't help.

Scott Fella · ‎02-07-2023

There is a feature for sleeping clients. This feature prevents webauth clients from having to re-authenticate when the idle timer expires. That is what you need to change. You most likely want to set this high to like 12 hours or more. Expect that the clients will have to re-authenticate if this expires or the session time expires.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.2.x - Central Web Authentication [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

-Scott
*** Please rate helpful posts ***

marce1000 · ‎02-06-2023

>.... How can I check client debugs and radius packet captures to see what's happening
https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
You can have client debugs analyzed with : https://cway.cisco.com/wireless-debug-analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '