Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Guest Re-Authentication on ISE

Unanswered Question
Mar 6th, 2014
User Badges:

Good Afternoon,

Am using ISE 1.2 to authenticate guest users on the WLC.

I created a sponsor account that creates guest credentials (username and password) and a time profile of 8hours, 24hours, 1week, 1month and 3months repectively and it worked fine.

Recently, it accepts the guest credentials and gives access to the network for about 2 to 3 minutes before it terminates the session and asks the user to re-authentication on the guest portal. This continues repeatedly irrespective of the time profile i choose. Moreover, every other users aside from the Guest users authenticate on the ISE without such challenge.

Thanks for ur suggestions in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Naresh Ginjupalli Thu, 03/06/2014 - 06:38
User Badges:
  • Cisco Employee,

Hi Joseph,

As shown in below screen shot , For  Authz profile that these guest are hitting there is a default session timeout value set for re-authentication and also there is a attribute to maintain connectivity .

Maintain Connectivity During Reauthentication has two option :

Default :-  If you set this option , it will take the CoA action 'Terminate'

Radius-Request :-  If you set this option , it will take the CoA action 'Re-auth'

Can you please check if these values are intact to your configuration.

Joseph Oloyede Fri, 03/07/2014 - 01:06
User Badges:

Hello nginjupa,

Thanks for the assistance, however, am not using the reauthentication option in the Authz profile. Am using a DACL name of which i have create the access-list on the Downloadable ACLs. This is used to push down the access-list to the switch and the WLC.

It still gives access to the network after authentication by the guest user, but knocks the user off after about 3 - 5 minutes. That is, the user will have to re-authenticate again with the same credentials and the problem re-occur again over and over.

See below the screen shots for both the Authz profile and the Authz policy.

Authz profile.PNGAuthz policy.PNG

Pranav Gade Tue, 08/12/2014 - 02:02
User Badges:

Hi Guys,

I am also facing the same issue as we have updated the image to 1.2.1 and usinf cwa ( mac filtering ) on wlc, session time 1800 on wlc.

But still after 5-6 min guest user asking for username and password to guest redirection url.


Can anybody gives me the solution for the same.


Thanks & Reagrds


awatson20 Tue, 08/12/2014 - 02:44
User Badges:

It is a software bug on the wireless controller software 7.4MR2.  You need to open a TAC case and request an engineering release from Cisco that contains the fix.  The fix was put in

egodalisse Mon, 09/12/2016 - 05:22
User Badges:

same issue, I have tried to configure both the radius attributes Radius:Idle-Timeout and Radius:Session-Timeout. Bot hhave been set to 1900.

I keep being disconnected around 10 min after the iphone goes to sleep.

Could you show us your authorization profile ?

awatson20 Mon, 09/12/2016 - 05:28
User Badges:

What version of software are you running on your wireless controllers?

egodalisse Mon, 09/12/2016 - 09:44
User Badges:

8.0.133 on both the foreign and anchor controllers

I have been told we can configure the user idle time out per SSID on 8.1

Parag Mahajan Fri, 03/07/2014 - 08:56
User Badges:
  • Cisco Employee,

Hi ,

Its worth checking SSID setting in - > advanced - >Enable Session Timeout . Hope the value configured around 1800 ..

Bastien Migette Sun, 03/09/2014 - 14:22
User Badges:
  • Cisco Employee,

You might start by doing a debug client <mac> and see on the WLC what causes client disconnection.

Also make sure you are running a recent version of the WLC as there could be some issues.

Check also what is the Policy state of the client after web auth. It should move from WEBAUTH_REQD to RUN (you can see this in the monitor > Client menu). WLC will expire all clients that are in WEBAUTH_REQD state after 10 mn.

a.dvorak Wed, 03/12/2014 - 15:15
User Badges:


I have the same problem since yestarday because I have updated the wlc to 7.4.121 and the Ise to patch6-Meanwhile I am thinking that could be a bug or a change in the default properties-I don´t know.

I hope somebody can solve the problem-otherwise I should open a case.... :(


regards alex

awatson20 Thu, 03/20/2014 - 17:14
User Badges:
I have the exact same problem. TAC said it looked like a bug. Have you come up with a work a round? https://tools.cisco.com/bugsearch/bug/CSCul43158 Symptom:Wireless devices are randomly disconnected every 5-10 minutes with unknown policy timeout message in debug client Conditions:Clients using Central Web Authentication (CWA). Workaround:none More Info:
andres.picos Fri, 09/26/2014 - 16:16
User Badges:

I had the same problem. I have vWLC and 2500 series WLC. The bug  CSCul43158 Was fixed.

I upgrade from 7.6.100 to and the problem was fixed. Now the wireless is working fine.

kaaftab Thu, 03/13/2014 - 11:45
User Badges:
  • Silver, 250 points or more

check the WLC for time out value if no change has been made on ISE since last deployment.

bhose Sat, 09/27/2014 - 04:58
User Badges:

We had the same challenges. The issue is that the device is going to sleep and the WLC times out the connection.

The way we fixed it was to use RADIUS attribute in the AuthZ profile to set the session timeout and inactivity timeout value to 8hrs. Works great


This Discussion