Session timer is a forced deauth of clients after the value has expired. Idle timer is a forced deauth of the client when the client is in an idle state. When I say deauth, I mean the client is removed from the WLC and the client will deauth and the timer starts again. The session timer has to be higher than the idle timer and is usually set high or disable by setting to 0. Idle timer is default at 300 and is fine but typically for Apple devices using WebAuth, you need to set this 2+ hours. A good example is when using WebAuth for guest users. When an iPhone or iPad goes to sleep, screen goes blank, this triggers the idle timer and it start counting down. Default is 300 seconds or 5 minutes, so after 5 minutes, all if a sudden the user turns on his or her device and now has to login again. Do you really want guest users to login again? This is where increasing the idle timer comes into play. A user now can go to lunch for a couple hours and come back without having to log back in. Now if your policy states that every
8 hours a guest has to login. Then you set your session tee to 8 hours.

Session timer 8 hours
Idle timer 3 hours

So now the device will not timeout unless they are idle for past 3 hours and now will automatically be forced to login again after 8 when the session timer expires.

Hope this makes sense.

Sent from Cisco Technical Support iPhone App