Guest wireless timeout

Unanswered Question

We have a primary controller (4402 - 50) and a small 4402-12 setup as a anchor for guest access. All guest traffic (for Internet access only) is sent through the guest controller - located on our DMZ.

Guest users were complaining that they were getting knocked off the system after 30 minutes. They needed to re-authenticate. This would happen regardless if they were VPN'd in to their host, or on the Internet.

We removed the timeout feature (deselected it) on both controllers. The issue then goes away. The users are never bumped off.

We then changed the inactivity timeout to 1 hour. Users were getting bumped off after 30 minutes.

We then changed the timeout to 2 hours. Now it appears that the connection stays in place about 40 minutes.

Note that we are changing the timeout to be the same on both controllers.

2 questions;:

First - has anyone found that that timeout feature is not accurate fro an actual “time” perspective ?

Second - why would a user that is actively on the system, surfing and moving between sites be kicked off? It is like the anchor does not see the traffic - and views the connection as idle.

Note that we do not have inactivity issue with workstations connected through our primary WLC, just with guest traffic

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
weterry Fri, 05/22/2009 - 19:59

The timeout that I believe you are referring to is the session timeout, not the idle timeout.

This session timeout forces reauthentication at the specified interval. With non Web-Auth methods, this should be handled seamlessly in the background.

Web-auth however puts the user back in a web_auth_required state when the session timeout is reached. Normal suggestion is to set the value to the maximum duration you want a client to stay connected without having to re-authenticate (0? 8 hours? etc...)

As for your first question, I am not aware of these session times not being accurate.

Robert.N.Barrett_2 Sat, 05/23/2009 - 13:37

You didn't mention how/what timer you changed. Please be sure that you are changing/disabling the session timeout feature (express in seconds) on the "Advanced" tab of the WLAN definition for the Guest SSID. I have not found this timer to be inaccurate with and code on the controller.

andre.ortega Mon, 06/01/2009 - 13:19

I have same problem (I am no speaking about timeout session, active user have re-authentication ever 30 minutes).

I need choose the time interval for web re-authentication on guest ssid.How I configure this?

sslittle Fri, 09/11/2009 - 22:44


We have just deployed controllers with a guest anchor and getting disconnected every 30 minutes. Can anyone advise what is the best way to resolve and if changing the timers works. My worry is that we will end up with sessions that are not being disconneted properly.

Also is this a software bug?



ONDREJ SYSEL Sat, 09/12/2009 - 08:05


If this is a standard scenario one WLC with AP's in LAN and anchor WLC in DMZ, than you need to configure the timeout on anchor WLC in DMZ, not only on the WLC in LAN controlling the AP's. The timer can be configured on advanced tab in WLAN properties (as mentioned somewhere above).


George Stefanick Sat, 09/12/2009 - 08:46

Osysel is correct. Your config needs to be identical on both the anchor and inside controllers. If not you will likely have issues if configs are not identical specific to the WLAN.

l.mourits Mon, 09/14/2009 - 01:57

Considering the fact that you see connections break while not matching the timer and only on SSID with foreign anchors, I get the sense that this is not related to idle or user related timers, but rather a mismatch between your anchor Hello timers.

Please check "Controller -> Mobility Management -> Mobility Anchor Config" on all controllers and ensure they match (defaults are 3 keep alive count and 10 seconds interval).

Hope this helps,


andre.ortega Mon, 09/14/2009 - 03:21

Follow resolution for my problem:

This "Session Timeout" is a configurable parameter that is set under the WLAN policy config, have a look;

Here is where this is set (look at number 4);

WLAN Policy Configuration

Refer to the WLANs > Edit page for a description of these parameters.

1. The WLAN SSID box contains the current WLAN 1 SSID. If desired, enter a different SSID.

2. The Radio Policy box contains the default bands controlled by the WLAN 1 policy. If desired, enter a different WLAN 1 policy: 802.11a only, 802.11g only, 802.11b/g only, 802.11a/g only, or All.

3. The Admin Status box contains the default administrative status (unchecked, or disabled). If desired, enable the WLAN 1 policy by checking the Admin Status box.

4.*** The Session Timeout box contains the default 802.11 session timeout (0, or no timeout). If desired, enter a different 802.11 session timeout in minutes.***

5. The Quality of Service (QoS) box contains the default QoS status (Silver, or Best Effort QoS). If desired, enter a different QoS: Platinum = Voice, Gold = Video, Bronze = Background, or leave as Silver = Best Effort. VoIP clients should be set to Platinum, Gold or Silver, while low-bandwidth clients can be set to Bronze.

6. The Allow AAA Override box contains the default AAA Override status (unchecked, or disabled). If desired, enable AAA Override by checking the AAA Override box.

7. The Blacklist Exclusion List Timeout box contains the default client Exclusion List (blacklist) timeout status (checked, or enabled). If desired, disable Exclusion List (Blacklist) Timeout by unchecking the Blacklist Timeout box.



This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode