cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1982
Views
0
Helpful
6
Replies

WLAN Controlle WEB AUTH, when is the session re-verified after initial authentication?

MCentrick2010
Level 1
Level 1

I am planning to use Web Authentication (With External Server) on Cisco WLAN controller.

Unfortunately, I still do not have one with which I can experiment, and cannot find the following info in the documentation.

After a user authenticates successfully first time, when is authentication performed again?

Is that periodic? Or maybe specified in the Access-Accept message?

Thanks for your help. 

1 Accepted Solution

Accepted Solutions

I don't think anything is done in the background/transparant when the session timeout occurs.

If radius sends you a Session Timeout of 30 minutes, then at 30 minutes the WLC puts the client in a Web Auth Required state again. At which point, they will have to open Internet Browser and send the credentials again (manual process).

The session timeout is a hard-stop to force reauthentication....

The access-request/access-accepts  (as far as I know) are only for the full authentication.

View solution in original post

6 Replies 6

There is a session timeout in the WLAN definition.  When the client hits that timeout, they will need to go back to the web page and re-auth.  I don't believe the user is notified in any way that they have hit the session timeout, and they are not disconnected from the wireless.  They just can't do anything on the network (except DNS resolution) until they revisit the web-auth page.

I believe that they will also have to reauth if they disconnect and then reconnect (for instance, if they reboot).

Just to add a little more to Robert's post:

Typically, guest users are browsing the internet at all times... So when the session timeout hits, they will be redirected the very next time they access an HTTP page. But if your guests are just doing IM or something, and not browsing the webpage, then they'll be down solid until they open a web browser again.

As for rebooting....

As long as the client re-associates again before the WLC Idle Timeout (typically 5 minutes), the next association would be treated more like a ROAM. I would not expect the client to reauthenticate with webauth untill they have been deauthenticated by either Idle Timeout or Session Timeout...   If the user somehow notifies us of the disconnection and we deauth the client, then yes, it would have to re-auth at next association...  

Thanks Terry.

And please let me know if my interpretation is correct:

- Suppose that I specify a Timeout (attr 27) in the Radius Access-Accept , together with Termination-Action (attr 29) set to "Radius request".

- After Timeout elapses, the Controller sends another Access-Request to the Radius server, transparently for the user.

- If the Radius server considers that the user is still authorized, an Access-Accept is sent back.

- Otherwise, Access-Reject is sent and the Controller starts to redirect HTTP requests and drop other kinds of traffic.

I don't think anything is done in the background/transparant when the session timeout occurs.

If radius sends you a Session Timeout of 30 minutes, then at 30 minutes the WLC puts the client in a Web Auth Required state again. At which point, they will have to open Internet Browser and send the credentials again (manual process).

The session timeout is a hard-stop to force reauthentication....

The access-request/access-accepts  (as far as I know) are only for the full authentication.

Very good points!  Guest users I deal with are mostly creating VPN connections back to their companies, so we made our session timeout last a little longer than the typical business day.

Thanks Robert.

I read the reply posted after yours, which is a bit different and more flexible: HTTP traffic is again redirected, all other traffic dropped (except possibly DNS).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: