03-28-2017 02:53 AM - edited 07-05-2021 06:45 AM
Hi,
We have an issue where mobile devices (mostly Apple iPhones and iPads running a variety of OS versions) are getting de-authenticated from our guest wi-fi solution (using ForeScout) after around 5 minutes of inactivity on the lock screen. These devices seem to put their Wi-fi into some kind of sleep mode while they are on the lock screen. We initially believed that this could be due to the User Idle Timeout value and the Session Timeout values but after changing these to 8 hours we have not seen any difference. We've tried everything in these forums and the Cisco guides for iOS devices but to no avail.
We did a client debug on the 5508 controller against the phone and found the following happened:
*apfMsConnTask_6: Mar 22 11:37:49.522: 2c:33:61:0f:f7:fc Got action frame from this client. (Cisco Controller) >*apfMsConnTask_6: Mar 22 11:41:18.277: dot1xDoesPmkIdMatchPmk2, Received 11w Flag: 0
*apfMsConnTask_4: Mar 22 11:42:31.371: dot1xDoesPmkIdMatchPmk2, Received 11w Flag: 0 (Cisco Controller) > (Cisco Controller) >*apfMsConnTask_4: Mar 22 11:43:50.937: dot1xDoesPmkIdMatchPmk2, Received 11w Flag: 0 *SNMPTask: Mar 22 11:44:08.808: 2c:33:61:0f:f7:fc Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds *apfReceiveTask: Mar 22 11:44:09.724: 2c:33:61:0f:f7:fc apfSendDisAssocMsgDebug (apf_80211.c:3541) Changing state for mobile 2c:33:61:0f:f7:fc on AP 6c:99:89:a6:84:60 from Disassociated to Disassociated *apfReceiveTask: Mar 22 11:44:09.724: 2c:33:61:0f:f7:fc Sent Disassociate to mobile on AP 6c:99:89:a6:84:60-1 (reason 1, caller apf_ms.c:7614) *apfReceiveTask: Mar 22 11:44:09.724: 2c:33:61:0f:f7:fc pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0. |
Can anyone please help us? we are getting nowhere with our support provider and cannot find what reasoncode 252 means in order to help us work out what is happening here.
Thanks,
Tim
03-28-2017 03:28 AM
Hello
if you use web-auth, you can try to use sleep client feature.
03-28-2017 03:33 AM
Hi,
We don't use the inbuilt Web Auth - we use an external Radius server of the Forescout NAC appliance.
I've tried adjusting the web auth timeout anyway with no luck - but thank you for the suggestion.
Tim
03-28-2017 04:04 AM
May be something with MFP? Try to disable it ( if enabled).
Here is another Deauth frame captured. This is triggered when I enable client management frame protection on a SSID. This time AP sending deauth to client with reason code 6 – Class 2 frame received from nonauthenticated station.
https://mrncciew.com/2014/10/11/802-11-mgmt-deauth-disassociation-frames/
03-28-2017 12:38 PM
Hey,
I've experienced a very similar issue. Do you mind posting some additional info?
Can you run the following command "Show wlan <Wlan ID>"?
Please post the output of these lines from the show command
Number of Active Clients......................... 115
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28800 seconds
User Idle Timeout................................ 28800 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
.....
Auth Key Management
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Disabled
...
Client MFP.................................... Optional but inactive (WPA2 not configured)
PMF........................................... Disabled
PMF Association Comeback Time................. 1
PMF SA Query RetryTimeout..................... 200
Tkip MIC Countermeasure Hold-down Timer....... 60
I know you mentioned the Idle/session timeouts were adjust to eight hours.
03-29-2017 04:49 AM
Hi
Thanks for your reply! Here are our values:
Number of Active Clients......................... 4
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 28800 seconds
User Idle Timeout................................ 14400 seconds
Sleep Client..................................... disable
Sleep Client Timeout............................. 720 minutes
User Idle Threshold.............................. 0 Bytes
We don't seem to have the other values so here is the whole section:
WLAN Identifier.................................. 4 --More-- or (q)uit --More-- or (q)uit --More-- or (q)uit --More-- or (q)uit 802.11 Authentication:........................ Open System --More-- or (q)uit --More-- or (q)uit Mobility Anchor List 802.11u........................................ Disabled MSAP Services.................................. Disabled
Lync State ...................................... Disabled (Cisco Controller) >? |
04-30-2018 03:37 PM
You probably already solved this one but we had the same issue and found that if we disable infrastructure management frame protection (not client) if 802.11v transition support is enabled or disable 802.11v have infrastructure MFP enabled.
Infrastructure MFP is a global setting and is located in Security -> Wireless Protection Policies - AP Authentication.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: