I'm a bit stuck with my Radius setup, or to be more precise, devices being re-authenticated every couple of minutes while using a WiFi web policy.
First, few words on setup and more details are shown within attached photos.
I'm running Windows Server 2016 with AD and NPS roles. There are users and a group of users created for Radius purposes, network policy is added to grant an access for the group of users and according to Radius server logs, there are no issue there, users are granted access upon request from WLC (photo attached), hence I'm not focused on troubleshooting Radius server setup, considering that part of setup is OK.
Cisco WLC, model 9800-L-F-K9, version 17.3.5b.
There are 116 APs and in general, we have no issues with our WiFi network(s).
Recently, Radius server has been added, AAA authentication created for login type and web authentication parameter configured.
Web policy enabled for the Visitor WLAN and it's all working just fine, smooth. Once users connect to Visitor WiFi, there is a pop-up window requesting credentials and if correct credentials (AD user) are entered, WiFi is ON, working.
Issue I'm having is following.
If users leave their device inactive for some time, or even if they lock their device (any device, iPhone, Android, Microsoft workstation, etc.), device disconnects from WiFi and as soon as user is about to use a device again, authentication pop-up window appears. This is very annoying since users are requested to login dozens of times a day and I had to disable web policy on the Visitor WiFi until I find a solution. If web policy is disabled, WiFi is working fine, no issues.
I've attached a photo where my device was authenticated 4 times in 10 minutes. There are no other WLC logs rather than those ones on the attached photo.
I was focused on session and idle timeout settings for Visitor WiFi, but regardless what settings I configure, there are no changes in devices behavior. I've checked WLC logs and Radius logs, and I can't find a reason for device disconnecting, there's nothing there which would point to the reason of device being re-authenticated to connect to WiFi with Radius web policy enabled.
Is there anyone who had a similar issue or someone who's very familiar with Radius and WLC setup to assist.
- Review the current 9800-L-F configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/
Hi @marce1000 , thank you for your time, effort and good advices.
I had WLC output analyzed, and there are no errors, certain number of warnings only, where none relate explains this behavior.
CSCvs73917 bug I've found earlier and I've changed a value to 1 day, but unfortunately this doesn't fix my issue.
I'll try to upgrade WLC to 17.6.4 and see if that helps, but I'm not holding my breath.
- You may want to do client debugging , checkout : https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3013.pdf , look for RA Traces , also checkout the commands below especially for instance in the time window that you expect that a client will need to be authenticated again and or verify command(s) output before and after re-authentication(s) :
show wireless stats client delete reasons
show wireless client history disconnected summary
show wireless stats client detail
show wireless client summary