cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
285
Views
15
Helpful
6
Replies

(Windows) Radius Server with WLC 9800-L-F. Re-authentication required,

AVITYA
Beginner
Beginner

Hi all,

I'm a bit stuck with my Radius setup, or to be more precise, devices being re-authenticated every couple of minutes while using a WiFi web policy.

First, few words on setup and more details are shown within attached photos.
I'm running Windows Server 2016 with AD and NPS roles. There are users and a group of users created for Radius purposes, network policy is added to grant an access for the group of users and according to Radius server logs, there are no issue there, users are granted access upon request from WLC (photo attached), hence I'm not focused on troubleshooting Radius server setup, considering that part of setup is OK.

Cisco WLC, model 9800-L-F-K9, version 17.3.5b.
There are 116 APs and in general, we have no issues with our WiFi network(s).
Recently, Radius server has been added, AAA authentication created for login type and web authentication parameter configured.
Web policy enabled for the Visitor WLAN and it's all working just fine, smooth. Once users connect to Visitor WiFi, there is a pop-up window requesting credentials and if correct credentials (AD user) are entered, WiFi is ON, working.

Issue I'm having is following.
If users leave their device inactive for some time, or even if they lock their device (any device, iPhone, Android, Microsoft workstation, etc.), device disconnects from WiFi and as soon as user is about to use a device again, authentication pop-up window appears. This is very annoying since users are requested to login dozens of times a day and I had to disable web policy on the Visitor WiFi until I find a solution. If web policy is disabled, WiFi is working fine, no issues.
I've attached a photo where my device was authenticated 4 times in 10 minutes. There are no other WLC logs rather than those ones on the attached photo.

I was focused on session and idle timeout settings for Visitor WiFi, but regardless what settings I configure, there are no changes in devices behavior. I've checked WLC logs and Radius logs, and I can't find a reason for device disconnecting, there's nothing there which would point to the reason of device being re-authenticated to connect to WiFi with Radius web policy enabled.

 Is there anyone who had a similar issue or someone who's very familiar with Radius and WLC setup to assist.

Much appreacited.
Thank you.
Kind regards
Petar

6 Replies 6

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 -  Review the current 9800-L-F  configuration with the CLI command : show  tech   wireless , have the output analyzed by  https://cway.cisco.com/tools/WirelessAnalyzer/  , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer.               Checkout all advisories!

 M.

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

 - Take the advice from this bug report : https://bst.cisco.com/bugsearch/bug/CSCvs73917 , probably not exactly what you are seeing , but check if it could help , 

 M.

AVITYA
Beginner
Beginner

Hi @marce1000 , thank you for your time, effort and good advices.

I had WLC output analyzed, and there are no errors, certain number of warnings only, where none relate explains this behavior.
CSCvs73917 bug I've found earlier and I've changed a value to 1 day, but unfortunately this doesn't fix my issue.

I'll try to upgrade WLC to 17.6.4 and see if that helps, but I'm not holding my breath.

Thanks

 

 - Could you also try to increase the Idle Timeout in the applied Policy Profile (for the WLAN) , available on the Advanced tab , 

 M.

Hi @marce1000 ,

I've tried that one, no progress.
Upgrading WLC from 17.3.5b to 17.3.6 and finally to 17.6.04, gave no results. I've tried everything I could find online, "playing" with different setting on WLC, but I just can't get this to work.

 

 - You may want to do client debugging , checkout : https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3013.pdf , look for RA Traces , also checkout the commands below especially for instance in the time window that you expect that a client will need to be authenticated again and or verify command(s) output before and after re-authentication(s)  :
               show wireless stats client delete reasons
               show wireless client history disconnected summary
               show wireless stats client detail
               show wireless client summary 

 M.
               
               
                         

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers