Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2714
Views
5
Helpful
3
Replies

Wireless authentication and association timeout

Brightstaraus
Level 1
Level 1

‎12-06-2018 08:02 PM - edited ‎07-05-2021 09:33 AM

Greetings,

Before client association occurs, is there a timeout value for a client to be authenticated with the AP? This will be the step before the user is authenticated using EAP... 

so lets say the authentication open seq is sent by the AP and nothing is heard back, how long will it take for the AP to reset the connection to the client?

Also, do we have a timeout value for the steps to follow after this? The client is authenticated but association hasn't completed, how long would the AP wait for the client to respond? 

 

Thanks

Labels:
0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎12-06-2018 08:32 PM

There are radius timers which you can change. So depending what values you set, will determine when the controller will reset the association.
-Scott
*** Please rate helpful posts ***
0 Helpful

ammahend
VIP
VIP

‎12-07-2018 04:46 AM - edited ‎12-07-2018 04:54 AM

Client starts probe request (10ms per request if no response), followed with probe response from AP, followed with open authentication (can also do WEP) this is unicast communication to specific AP followed by an acknowledgement, followed by association request and response (Again Unicast) eventually obtaining an Association ID, till this stage any failure will be presented with a Status code 0-9 for success or failure result, you should be able to see this in capture.

post this Client will Start EAP communication with WLC and WLC will indeed talk Radius to AAA, there are timers here for EAP between controller and client, timers and retires are show below

(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600

 

For Radius timeout can vary default in most cases in 5 sec.

 

All these are configurable parameters.

-hope this helps-

Brightstaraus
Level 1
Level 1
In response to ammahend

‎12-09-2018 02:22 PM

Thanks Ammahend,

 

Do you know what the timeout is in the first phase? probe is send and is heard but then the client isnt heard of, how long would the AP wait for a response before resetting the session?

With EAP, the user now needs to enter a password and be authenticated either through radius or other methods. If the client does not respond at this stage or if the client takes too long to put in his/her key, the AP would keep the session for 30 seconds and then reset?

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card