Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
570
Views
0
Helpful
4
Replies

wlc 4402 - problems in unauthenticated state

j.kougoulos
Level 4
Level 4

‎10-25-2007 10:57 AM - edited ‎07-03-2021 02:50 PM

Hello,

Using a 4402, ver 4.0.185,

I'm configuring a WLAN with no layer2 security, and I have configured the web-policy layer 3 security method with a preauth acl to allow connections to a couple of vpn concentrators for unauthenticated users.

Everything works fine, but I have observed a few things that worry me

a. When a client disassociates from my wlan, the wireless controller takes about 5 minutes to discover that this has happened. It looks as if it doesn't get the disassociation event.

b. if the client has not authenticated through the web-auth page, every about 5 minutes the client seems to be briefly disconnected from the WLAN and connect again immediately. This displays an annoying popup to the user and one-two packets are lost (I see this from a continuous ping I run concurrently)

The client statistics on the PC show that a roaming event has occurred but since the only AP with adequate signal is next to the PC I don't see any reasons for roaming.

Any ideas?

Thanks,

John

Labels:
0 Helpful
4 Replies 4

dennischolmes
Level 7
Level 7

‎10-25-2007 06:05 PM

Does the roam event occur every 5 minutes or every 10? If it is 10 I bet you have your RRM refresh set to 600 seconds (default). When a RRM refresh occurs if there is a change of channel selection on the APs or power for that matter, there is a brief disconnection to the client to allow for reassociation under the new channel/power assignment configuration. This could be your problem. To test turn RRM off for about 30 minutes. If you have no disconnect, you have your answer. You can then set RRM refreshes to occur less frequently.

0 Helpful

j.kougoulos
Level 4
Level 4
In response to dennischolmes

‎10-26-2007 04:27 AM

well, the reassociation/roam happens every 5 minutes, so I guess it's not RRM. Also, actually the version of the software is 4.1.185 ...

The strange thing is that I have found out that this behavior is directly related to the Auth status of the user.

When I have the web-policy enabled, each user that has not passed through web auth appears in the "Clients" report with unauthenticated status, and he faces the problem I have described.

If for example I disable the web-policy, and have a fully open WLAN, in the "clients" report the user appears as authenticated.

In this case the reassociation problem does not occur....

thanks for your time!

0 Helpful

dennischolmes
Level 7
Level 7
In response to j.kougoulos

‎10-26-2007 04:34 AM

Try increasing your user idle timeout to 10 minutes and see if the time changes to 10 minutes.

0 Helpful

j.kougoulos
Level 4
Level 4
In response to dennischolmes

‎10-26-2007 05:53 AM

I changed it to 10 minutes (arp timeout & user idle timeout == 600 ) but still every 5 minutes I have the same behavior. I also removed every setting about MFP, still the same.

I did some debugs and I see that at the time that this occurs there is a state transition:

WEBAUTH_REQD -> START -> AUTHCHECK -> L2AUTHCOMPLETE -> WEBAUTH_REQD

I guess there is a hardcoded 5 min timeout for the user to do the web auth somewhere.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card