Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Enable Session Timeout in WLC

                   Hi everyone,

I can connect to WLC  and i disconnect then.Wehn i am back in coverage area it automatically connects me again.

Need to understand is this die to the enable session timeout settings in advanced field of SSID?

IF enable timeout is checked then does it remember the user credentials for that amont of time that is config in enable session timeout?

Regards

Mahesh

22 REPLIES

Re: Enable Session Timeout in WLC

No Sir.. That feature will kick a client off when the timer his hit. Thus causing the client to reauth. In your case when you leave coverage and return you are coming back onto the network and requires a reauth. If you are trying to keep a session live you could move the idle session timer higher. Although this is a work around and I wouldn't suggest it.

Normal practice is you should reauth when you leave and come back into the network .. As for asking for you ID. Most supplicant cache this or are configured to present them for you to the wireless.

Can you share more about what you are trying to archive ?

Sent from Cisco Technical Support iPad App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: Enable Session Timeout in WLC

Hi George,

I want to know when i take my cell phone near the WAP  today it connects me automatically.

I can see the IP address  on my cell phone.

so need to understand if radius authentication  is config on WLC  then  when i come closer to coverage area before giving IP  to my cell phone it should ask for PW right?

How my PC is getting IP automatically when i come close to coverage area?

Regards

Mahesh

New Member

Re: Enable Session Timeout in WLC

Mahesh18,

I guess that your WLC is setup with locally stored password (pre-shared password). When you first time connected your phone it probably cashed that password. Try and make your phone "forget" your network - it should not re-join. Same applies to your PC.

New Member

Enable Session Timeout in WLC

Hi Vlad,

But the password was RSA  token so does it remembers RSA  token also?

Regards

Mahesh

Enable Session Timeout in WLC

Under your controller tab what is your user idle timer at ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Enable Session Timeout in WLC

Hi George,

It is 300 secs.

Regards

Mahesh

New Member

Enable Session Timeout in WLC

No, it should not remember anything related to EAP-types. There may be user never dropped out. Does the WLC show the user been still authenticated or does the user disapear? (Client section of the GUI).

New Member

Enable Session Timeout in WLC

Wrong statement above. Profiles should not retain anything related to your RSA tokiens. But the generated pairwise master keys may be retained for some time before they expire. I am not sure but 'debug aaa events enable' may reveal what is happenning.

New Member

Enable Session Timeout in WLC

Hi Vlad,

If i enable debugging how can i see the debug output?

in switches we use terminal monitor.

Also how can i stop debugging  ?

Regards

Mahesh

New Member

Enable Session Timeout in WLC

If you are logged in to the WLC over SSH you don't need the "terminal monitor" - just "debug ... ". To disable you can use wither "debug aaa events disable" or "debug disable-all". Also debug will stop if you exit ssh session.

As usually whith debug be careful not to over-stress your terminal sessions.

Re: Enable Session Timeout in WLC

I world think idle timeout would kick in delet the client record along with the pmk ..

Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Re: Enable Session Timeout in WLC

Along with Vlads comment I would do a client debug leave the network and come back back on .. Post the log

Sent from Cisco Technical Support iPhone App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Enable Session Timeout in WLC

Debug client alone does not work.

should i use some options?

New Member

Enable Session Timeout in WLC

Yes I think so too. Session should time out and get cleared from the WLC along with all its attribute. That is my understanding..

New Member

Enable Session Timeout in WLC

Hi Vlad,

I enable the debug aaa events enable bit i see no output on CLI?

New Member

Enable Session Timeout in WLC

Are there authentication events happening? There will be nothing until your authenticate/reauthenticate.

Also the command that George mentioned above - are you just running debug client? There shall be trailed MAC address after the command of the client you wish to debug.

New Member

Enable Session Timeout in WLC

Hi Vlad,

USer went near  coverage area with cell phone   got the IP  when he tried to access internet  it ask for RSA.

But i see no logs on the CLI

Regards

MAhesh

New Member

Enable Session Timeout in WLC

run "show client detail " while user is associated.

Re: Enable Session Timeout in WLC

Ok, some assumptions here on my part based on your comment.

You are using radius. When your wifi station comes into coverage and its configured for the network and your supplicant is configured to join automatically. Your station will connect to the wifi and radius auth will happen. After you pass then you get an IP address.

EAP is layer 2. Once you are authenticated then you get layer 3 (ip address) and network connectivity.

Does this anwser your question ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Enable Session Timeout in WLC

Hi George,

More update my PC gets IP automatically but to access the internet it ask for Authentication which is RSA?

Regards

Mahesh

Re: Enable Session Timeout in WLC

You need to do re-auth each and every timeout the session is timed out. To increase the session timer you can increase the idle time-out.

Bronze

Enable Session Timeout in WLC

The session timeout parameter on the WLC can be used to accomplish this. By default, the session timeout parameter is configured for 1800 seconds before a reauthentication occurs.

Change this value to 180 seconds in order to make the client reauthenticate after three minutes.

In order to access the session timeout parameter, click the WLANs menu in the GUI. It displays the list of WLANs configured in the WLC. Click the WLAN to which the client belongs. Go to the Advanced tab and you find Enable Session Timeout parameter. Change the default value to 180, and click Apply for the changes to take effect.

When sent in an Access-Accept, along with a Termination-Action value of RADIUS-Request, the Session-Timeout attribute specifies the maximum number of seconds of service provided before re-authentication. In this case, the Session-Timeout attribute is used to load the ReAuthPeriod constant within the Reauthentication Timer state machine of 802.1X.

Please check the below link which can helpful in making decision:

http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml

1362
Views
0
Helpful
22
Replies