ISE 1.2 IOS device re-auth (device drops WiFi)

Josh Morris · ‎12-17-2013

My guest users use web-auth for authentication. An issue I've run into is that IOS devices drop WiFi during lock/sleep. This means if they were authenticated, then they will have to reconnect/reauthenticate to the SSID. I would like to find a way for these users to automatically reauthenticate (assuming they are still within their original session's timeout value). Think two hour meeting. Is there a way for me to set this up in ISE policy?

Something like:

IF user was authenticated within the session timeout value (6hrs)

THEN automatically let them back on without having to re-authenticate

Thanks.

George Stefanick · ‎12-17-2013

Your issue sounds like the idle timeout vlaue, which is found on the controller tab towards the botton. iOS devices dont chatter a lot and when they go to sleep they send a deauth frame to the AP. The idel timer by deafult is 300 seconds (5 minutes). If your iOS devices doesnt send a frame within a 5 minute interval the WLC deauth the iOS device. This cuases a poor user expereince, reauth screen etc ..

You would need to expand the idle timeout. In 7.5 you have sleeping client which also helps this issue.

Note when you expand the idle timeout, clients who "walk off" and dont discnnect will still show in your wlc client table till their timer expires.

Hope this helps

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Josh Morris · ‎12-17-2013

Thanks George. Fortunately, my idle timer is already increased to a high value. I am running 7.5, but am not familiar with the sleping client feature. I will look it up.

I think the issue I'm experiencing is caused by the client itself though. I think the IOS device itself shuts off WiFi when it goes to sleep.

EDIT: I just found out that I cannot use the sleeping client feature because I am using ISE to do cetralized web-auth, therefore I am not using any L3 security. So sleeping client is not supported. I think I'd really like to find a way to do this with ISE.

Tarik Admani · ‎12-17-2013

This is a known issue with guest users. One option to use would be device registration. When guest users successfully authentication you can redirect them to this page where the mac address is stored in a pre-defined idenitity group. When the guest user connects back up they are authenticated with the mac address instead of redirected to the CWA authorization policy.

I have an article on this here -

https://supportforums.cisco.com/docs/DOC-26667

Tarik Admani
*Please rate helpful posts*

Josh Morris · ‎12-18-2013

Thanks Tarik,

I had considered device registration but dismissed it. After reading your document, it may be a viable option. I am in a medical facility, so this policy could be helpful. I have a couple questions though...is there a way to do this without having to reauthenticate the session in 1.2? Also, is there a way to force the user to enter some bit of information (Name, email) that can be stored as an endpoint identifier?

Josh Morris · ‎12-19-2013

I am now thinking that the web-auth Tarik mentioned is not an option. I would like to use device registration so I can easily re-authenticate based on group membership. The problem with that is I have no way (other than manually) to purge the registered devices endpoint group. It would become too large.

I am still trying to find a way for ISE to keep session information on an i device that goes into sleep, so it won't have to re-web-auth after waking up from sleep.

Tarik Admani · ‎12-19-2013

Josh,

You may want to hit the wireless forums also as I think the apple device may send a disassociation notification to the wireless device. When this happens a radius accounting stop packet is sent to ISE where the corresponding aaa session-id is then released and licensing is updated (ISE uses radius accounting to track the concurrent users).

With this there is no way you can look into ISE on holding or not expiring sessions based on device type. The NAD (WLC) sets the aaa session-id and I dont think extending the association timer will help any if the client is sending the disassociation notification.

Thanks,

Tarik Admani
*Please rate helpful posts*

eric.ahernandez · ‎04-22-2014

I'm actually trying out this option myself for testing purposes, the device registration webauth, using only the AUP, what it does is the users join the WLAN, open a web browser and get redirected to a portal that shows the Acceptable Use Policy, when they accept the terms and conditions the device registers into the endpoint identity group of my choice and lands in an authorization rule I've created, problem with this is whenever the users do this whole process they can't browse or anything, I have to release/renew the IP address in the guest endpoint, or clear the session in the WLC, despite everything in ISE and the WLC show everything is correct. IS there any way not to do this? or is it necessary to re authenticate as you say?.

Josh Morris · ‎12-20-2013

I figured out a solution to this issue.

I was initially use ISE to send a Radius override with a session timeout value. I did this with different values for different authorization policies. I think this somehow meant ISE was controlling the session, not the WLC. So when the iPad dropped WiFi during sleep, the controller lost it's state, and ISE terminated the session. To resolve it, I remove the Reauthentication timer from ISE and let the controller provide the session timeout value. Now, when the iPad goes to sleep, it still drops WiFi, but the session state is maintained in the WLC, the iPad just reauths successfully with ISE. So the user doesn't have to hit the web-auth page again upon waking the device, WiFi is just up and connected.

On a side note, I found out that the iPad sends wireless beacons out every 10 minutes. So essentially, it reauthenticates with ISE every 10 minutes. I have not hit my idle timeoute value yet, but I'm afraid that because of this 10 minute beacon, even a sleeping iPad will not be idle long enough to be disassociated.

David Fitzgerald · ‎03-03-2014

OK, I'm seeing a lot of "Correct Answer" type replies in another similar posting, but not a complete answer. I have a similar issue, but only on a 2504 running 7.4.110. I have two 5508s running 7.4.115, and they don't seem to have this issue, however I could be wrong. Also, I'm running ISE 1.2, patch 2, soon to be patch 3 with the 5508s. I no not yet have ISE working with the 2504, but that is coming. We're not running Flex-Connect.

My users are a mix of guest users via the ISE Sponsor Portal, and employees, who authenticate via Active Directory. I am having problems putting the specifications into user-friendly terms. If I have to add a Registration Portal, I need to be able to explain who would use it and under what situation(s)

So, I guess what I'm looking for is what is the minimum OS I should be running on each platform to support ISE, WebAuth, and Apple & Android devices.

I don't seem to have Security --> Local Policy on either of my builds, so I'm guessing that this was added in 7.5. Given ISE 1.2, is there some mimimal WLC builds I should be using. Alternatively, is there ANY reason to NOT upgrade to 7.6

Tarik's link seems to include ISE 1.1.1, so I'm not sure how applicable it is to ISE 1.2. I'm not opposed to using device registration for employee devices, but I do not believe I wishto do this for guest/sponsored devices. I am not planning on a full BYOD rollout, so I do not wish to complicate things with an advanced license. My understanding is that with AD integration, I probably don't need a MyDevices portal.

In short, I'd like guest devices to have to auth at most once per day, and employees should be good until their AD credential expires. Again, I thought I had this working on a pilot using WLC 5508s and 7.4.115, but this definitely is not working in WLC 2504 with 7.4.110.

The only other thing I'd want to to be able to put the guest devices on one VLAN/SSID and the employee devices on another, but that's not as important at this time.