已解决: WLC多长时间验证802.1x用户名密码。

叶不凡 · ‎12-02-2021

我们公司wifi做的是802.1x接入，请问WLC多久和radius或ldap通讯校验用户名密码？

因为在我测试过程中，修改了wifi的密码后，已经连接wifi的用户，仍然可以连接，过了大约30分钟左右才提示wifi断开。

这个时间能修改吗？

ilay · ‎12-09-2021

这个应该和对应WLAN的"Session Timeout"时间有关系，默认情况下wlc 802.1x 的session timeout时间是1800s，应该是在timeout结束之前进行重新认证。（具体值是多少没有验证过）

更改的话直接在对应SSID的Advanced->Enable Session Timeout中输入新的值即可（300-86400）。也可通过ise authorization policy下发该参数。

=====

(Cisco Controller) >show client detail 00:db:df:c4:e7:d5
Client MAC Address............................... 00:db:df:c4:e7:d5
Client Username ................................. ilay
Client Webauth Username ......................... N/A
Hostname: ....................................... ccg
Device Type: .................................... WindowsXP-Workstation
AP MAC Address................................... 1c:d1:e1:55:5f:20
AP Name.......................................... SD_AP_S215
AP radio slot Id................................. 1
Client State..................................... Associated
User Authenticated by ........................... RADIUS Server
Client User Group................................ ilay
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 4
Wireless LAN Network Name (SSID)................. LAB_WLAN_5G
Wireless LAN Profile Name........................ LAB_WLAN_5G
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 77 secs
BSSID............................................ 1c:d2:e1:55:5f:2d
Channel.......................................... 44
IP Address....................................... 10.12.137.224
Gateway Address.................................. 10.12.136.2

--More-- or (q)uit
Netmask.......................................... 255.255.254.0
IPv6 Address..................................... fe80::1d17:b216:9139:99c2
Association Id................................... 100
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Client IPSK-TAG.................................. N/A
Status Code...................................... 0
Client CCX version............................... 4
Client E2E version............................... 1
Re-Authentication Timeout........................ 1745
QoS Level........................................ Silver

在原帖中查看解决方案

ilay · ‎12-09-2021

这个应该和对应WLAN的"Session Timeout"时间有关系，默认情况下wlc 802.1x 的session timeout时间是1800s，应该是在timeout结束之前进行重新认证。（具体值是多少没有验证过）

更改的话直接在对应SSID的Advanced->Enable Session Timeout中输入新的值即可（300-86400）。也可通过ise authorization policy下发该参数。

=====

(Cisco Controller) >show client detail 00:db:df:c4:e7:d5
Client MAC Address............................... 00:db:df:c4:e7:d5
Client Username ................................. ilay
Client Webauth Username ......................... N/A
Hostname: ....................................... ccg
Device Type: .................................... WindowsXP-Workstation
AP MAC Address................................... 1c:d1:e1:55:5f:20
AP Name.......................................... SD_AP_S215
AP radio slot Id................................. 1
Client State..................................... Associated
User Authenticated by ........................... RADIUS Server
Client User Group................................ ilay
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 4
Wireless LAN Network Name (SSID)................. LAB_WLAN_5G
Wireless LAN Profile Name........................ LAB_WLAN_5G
WLAN Profile check for roaming................... Disabled
Hotspot (802.11u)................................ Not Supported
Connected For ................................... 77 secs
BSSID............................................ 1c:d2:e1:55:5f:2d
Channel.......................................... 44
IP Address....................................... 10.12.137.224
Gateway Address.................................. 10.12.136.2

--More-- or (q)uit
Netmask.......................................... 255.255.254.0
IPv6 Address..................................... fe80::1d17:b216:9139:99c2
Association Id................................... 100
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Client IPSK-TAG.................................. N/A
Status Code...................................... 0
Client CCX version............................... 4
Client E2E version............................... 1
Re-Authentication Timeout........................ 1745
QoS Level........................................ Silver