Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Disable re authentication for wlan users

I Would like the WLAN users to get authenticated one time using username and password , im wondering which method can be used .

Everyone's tags (4)
13 REPLIES

Re: Disable re authentication for wlan users

What security type you have for your wlan?

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Re: Disable re authentication for wlan users

I have the option to use and security method that allow me to use a user name and password

Sent from my iPhone

Re: Disable re authentication for wlan users

If you are using 802.1x authentication, you can control the user quotas from the radius server.

You can create a user and allow it for only 1 absolute session. You can also decide if they have one session per week or per day...etc. You can also control how session time (2 hours for a session for example).

This depends on your radius server functionality if it provides those features.

Also, you can create a user that is only valid in a time limit (vlaid for 8 hours only for example) so when it connects the sessoin starts counting and the user not valid to authenticate after 8 hours from his/her first success authenticatoin. (you can use this option with or without the session limit above). This (time limit) is also valid if you want to use web-auth WLAN.

Again, you need to check if those options available in your radius server.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Re: Disable re authentication for wlan users

Hi Amjad ,

Many thanks !

Do you have guide for that ?

I already configured radius authentication and it working fine

Regards ,

Amro

Sent from my iPhone

New Member

Re: Disable re authentication for wlan users

Btw I forgot to tell you that I'm using cisco ACS as radius server

Sent from my iPhone

Disable re authentication for wlan users

Hi Ahmed,

there is a time-out method under WLAN "name" on the controller, which you can increase or decrease to keep session alive without timeing out.

thanks

Rizwan Rafeek

New Member

Re: Disable re authentication for wlan users

Hi Rizwan,

I tried that option but it didn't work

Sent from my iPhone

Disable re authentication for wlan users

Hello Amro,

I had this issue before on my wlan controller, what I have suggested to you was the solution to my problem.

If you have tried that already and didn't help you, I would recommand to you look into radius server itself, there might be a parameter that you could set to 24hrs at least.

thanks

Re: Disable re authentication for wlan users

Salam Rizwan:

Controlling the session time-out can not help in making a client authentication ONE TIME ONLY.

It can affect the session and the user may get disconnected after the session times out. However, the user is still able to connect again and authentiate (if he knows the credentials).

Amro: What is the ACS version you are having?

on ACS 4.x the option is available either under user options.

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Re: Disable re authentication for wlan users

Hi Amjad ,

Im using ACS 4.2 . i found the options but im not sure if it can work with web auth instead of 802.1x .

Regards ,

Amro

Date: Wed, 6 Jun 2012 01:52:54 -0600

From: supportforums-donotreply@supportforums.cisco.com

To: satla3@hotmail.com

Subject: - Re: Disable re authentication for wlan users

Home

Re: Disable re authentication for wlan users

created by Amjad Abdullah in Getting Started with Wireless - View the full discussion

Salam Rizwan:Controlling the session time-out can not help in making a client authentication ONE TIME ONLY.It can affect the session and the user may get disconnected after the session times out. However, the user is still able to connect again and authentiate (if he knows the credentials). Amro: What is the ACS version you are having?on ACS 4.x the option is available either under user options. Thanks. Amjad

Reply to this message by going to Home

Start a new discussion in Getting Started with Wireless at Home

Re: Disable re authentication for wlan users

Hi Amro,

It does not work with web-auth if you are using radius as a user DB to authenticate clients.

If you noticed, I started my first reply above with "If you are using 802.1x authentication, you can control the user quotas....etc".

with 802.1x auth there are attributes that tell the WLC about many things including Layer 2 reauth timeout for clients. (represented in pmk lifetime because when the pmk expires the reauth is needed automatically).

If you are using web-auth then those attributes are not sent to the wlc and hence wlc uses his own timeout methods to control timeout of the client (session-timeout, user idle-timeout...etc).

If you use web-auth what you can do is to create a user and mention the lifetiem of the user on the radius. You can not specify however the number of sessions the user can do. The user may disconnect and connect many times as long as his username is valid on the radius.

If the user lifetime expired on radius, the user does not immedietly disconnected. However, it needs to wait until next session-timeout (or idle-timeout) timer on WLC to expire (or the user manually disconnect). After that if the clients try to re-connect it will not be able to becaue the radius user is no longer valid to connect.

If you want the web-auth user to be directly deleted after its configured timeout expires you need to configure the usrs on local WLC DB, not on radius.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Re: Disable re authentication for wlan users

Amjad , Its working fine now , Many Thanks for your support . Im now struggling on another issue , our customer would like to use AD instead of ACS .I tried to configure LDAP generic DB on ACS but unfortunatly it support TACACS+ only ( RADIUS is not supported ). Any Idea about this ? BTW our customer is having Cisco NAC CAM, CAS and Profiler . i know that NAC can do the work , but we are trying to keep it as the last option . Regards , Amro

Date: Wed, 6 Jun 2012 03:54:17 -0600

From: supportforums-donotreply@supportforums.cisco.com

To: satla3@hotmail.com

Subject: - Re: Disable re authentication for wlan users

Home

Re: Disable re authentication for wlan users

created by Amjad Abdullah in Getting Started with Wireless - View the full discussion

Amro:It does not work with web-auth if you are using radius as a user DB to authenticate clients.If you noticed, I started my first reply above with "If you are using 802.1x authentication, you can control the user quotas....etc".with 802.1x auth there are attributes that tell the WLC about many things including Layer 2 reauth timeout for clients. (represented in pmk lifetime because when the pmk expires the reauth is needed automatically).If you are using web-auth then those attributes are not sent to the wlc and hence wlc uses his own timeout methods to control timeout of the client (session-timeout, user idle-timeout...etc). If you use web-auth what you can do is to create a user and mention the lifetiem of the user on the radius. You can not specify however the number of sessions the user can do. The user may disconnect and connect many times as long as his username is valid on the radius.If the user lifetime expired on radius, the user does not immedietly disconnected. However, it needs to wait until next session-timeout (or idle-timeout) timer on WLC to expire (or the user manually disconnect). After that if the clients try to re-connect it will not be able to becaue the radius user is no longer valid to connect. If you want the web-auth user to be directly deleted after its configured timeout expires you need to configure the usrs on local WLC DB, not on radius. HTH Amjad

Reply to this message by going to Home

Start a new discussion in Getting Started with Wireless at Home

Re: Disable re authentication for wlan users

Amro:

I am glad that it is now working
don't forget please to mark correct answers. ;-)

about your issue, you can simply use external DB with ACS and add the AD as external DB.

also, what do you mean by only TACACS+ with generic LDAP on ACS? radius is also supported of course! not only TACACS+.

Please open a new thread for the new issue and we'll be glad to assist.

Amjad

Rating useful replies is more useful than saying "Thank you"
2552
Views
0
Helpful
13
Replies