Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1155
Views
0
Helpful
2
Replies

WLC CWA with ISE - Client disconnection issues

gpinero
Level 1
Level 1

‎11-07-2019 01:02 AM - edited ‎07-05-2021 11:15 AM

Hi, i'm working in CWA deployment using WLC and ISE. It's works as expected but I have many problems with client disconnections issues.

 

This is the flow:

- Client connect to open ssid (hidden) and using MAB ISE show up a guest portal. 

- When client is authenticated ISE send CoA to WLC and client is re authenticated.

- ISE permit access with a reauthentication timeout of 28800 seg.

 

The problem is that users report that need to reauthenticate again (guest portal) two or three times in this 8 hours

 

At WLC the configuration timers are:

Advanded-> Enable Session Timeout -> 3600 

Client user idle timeout(15-100000) -> 14400

 

I have been able to try that reauth occurs when users roam from AP or when users go out (coffe break for example) and then back clients need to authenticate again via guest portal

 

¿With client idle timeout session is mantained for 4h when client idle?

How I can do more to adjust this timers and the client not need to re authenticate in 8hours

 

Thanks in advance

 

CCNP R&S, CCNP Security, CCNA CyberOps
Labels:
0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎11-10-2019 03:17 AM

The Session-Timeout value that you see in the WLC's WLAN profile is the session timeout that applies to clients who have not passed the CWA Portal authentication (and that includes things like users who have not yet clicked on the AUP).

Once the guest is officially authenticated, ISE sends a CoA to the WLC and that triggers the client disconnection. The MAB auth will be sent to ISE again, and this time ISE will know this is an authenticated guest and this is the point where you should send the Access-Accept and Session-Timeout = 28800 ( 8 hours) 

 

regards

Arne

0 Helpful

gpinero
Level 1
Level 1
In response to Arne Bier

‎11-11-2019 11:58 AM

Thanks Arne for the clarification, as I expected the configuration seens to be right.

 

In this case, the session-timeout in the WLC must be short for avoid clients to take long time wihout auth. As I said, clients report issues because the portal appears more than one time in this 8 hours.

 

What can I configure, test or change so that the user only has to authenticate once during that time?

 

Thanks in advance

CCNP R&S, CCNP Security, CCNA CyberOps
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card