wlc 4402 - problems in unauthenticated state

Unanswered Question
Oct 25th, 2007


Using a 4402, ver 4.0.185,

I'm configuring a WLAN with no layer2 security, and I have configured the web-policy layer 3 security method with a preauth acl to allow connections to a couple of vpn concentrators for unauthenticated users.

Everything works fine, but I have observed a few things that worry me

a. When a client disassociates from my wlan, the wireless controller takes about 5 minutes to discover that this has happened. It looks as if it doesn't get the disassociation event.

b. if the client has not authenticated through the web-auth page, every about 5 minutes the client seems to be briefly disconnected from the WLAN and connect again immediately. This displays an annoying popup to the user and one-two packets are lost (I see this from a continuous ping I run concurrently)

The client statistics on the PC show that a roaming event has occurred but since the only AP with adequate signal is next to the PC I don't see any reasons for roaming.

Any ideas?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dennischolmes Thu, 10/25/2007 - 18:05

Does the roam event occur every 5 minutes or every 10? If it is 10 I bet you have your RRM refresh set to 600 seconds (default). When a RRM refresh occurs if there is a change of channel selection on the APs or power for that matter, there is a brief disconnection to the client to allow for reassociation under the new channel/power assignment configuration. This could be your problem. To test turn RRM off for about 30 minutes. If you have no disconnect, you have your answer. You can then set RRM refreshes to occur less frequently.

j.kougoulos Fri, 10/26/2007 - 04:27

well, the reassociation/roam happens every 5 minutes, so I guess it's not RRM. Also, actually the version of the software is 4.1.185 ...

The strange thing is that I have found out that this behavior is directly related to the Auth status of the user.

When I have the web-policy enabled, each user that has not passed through web auth appears in the "Clients" report with unauthenticated status, and he faces the problem I have described.

If for example I disable the web-policy, and have a fully open WLAN, in the "clients" report the user appears as authenticated.

In this case the reassociation problem does not occur....

thanks for your time!

dennischolmes Fri, 10/26/2007 - 04:34

Try increasing your user idle timeout to 10 minutes and see if the time changes to 10 minutes.

j.kougoulos Fri, 10/26/2007 - 05:53

I changed it to 10 minutes (arp timeout & user idle timeout == 600 ) but still every 5 minutes I have the same behavior. I also removed every setting about MFP, still the same.

I did some debugs and I see that at the time that this occurs there is a state transition:


I guess there is a hardcoded 5 min timeout for the user to do the web auth somewhere.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode