Enable Session Timeout in WLC

mahesh18 · ‎09-10-2013

Hi everyone,

I can connect to WLC and i disconnect then.Wehn i am back in coverage area it automatically connects me again.

Need to understand is this die to the enable session timeout settings in advanced field of SSID?

IF enable timeout is checked then does it remember the user credentials for that amont of time that is config in enable session timeout?

Regards

Mahesh

George Stefanick · ‎09-10-2013

No Sir.. That feature will kick a client off when the timer his hit. Thus causing the client to reauth. In your case when you leave coverage and return you are coming back onto the network and requires a reauth. If you are trying to keep a session live you could move the idle session timer higher. Although this is a work around and I wouldn't suggest it.

Normal practice is you should reauth when you leave and come back into the network .. As for asking for you ID. Most supplicant cache this or are configured to present them for you to the wireless.

Can you share more about what you are trying to archive ?

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

mahesh18 · ‎09-10-2013

Hi George,

I want to know when i take my cell phone near the WAP today it connects me automatically.

I can see the IP address on my cell phone.

so need to understand if radius authentication is config on WLC then when i come closer to coverage area before giving IP to my cell phone it should ask for PW right?

How my PC is getting IP automatically when i come close to coverage area?

Regards

Mahesh

vlad.mihailov · ‎09-10-2013

Mahesh18,

I guess that your WLC is setup with locally stored password (pre-shared password). When you first time connected your phone it probably cashed that password. Try and make your phone "forget" your network - it should not re-join. Same applies to your PC.

mahesh18 · ‎09-10-2013

Hi Vlad,

But the password was RSA token so does it remembers RSA token also?

Regards

Mahesh

George Stefanick · ‎09-10-2013

Under your controller tab what is your user idle timer at ?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

mahesh18 · ‎09-10-2013

Hi George,

It is 300 secs.

Regards

Mahesh

vlad.mihailov · ‎09-10-2013

No, it should not remember anything related to EAP-types. There may be user never dropped out. Does the WLC show the user been still authenticated or does the user disapear? (Client section of the GUI).

vlad.mihailov · ‎09-10-2013

Wrong statement above. Profiles should not retain anything related to your RSA tokiens. But the generated pairwise master keys may be retained for some time before they expire. I am not sure but 'debug aaa events enable' may reveal what is happenning.

mahesh18 · ‎09-10-2013

Hi Vlad,

If i enable debugging how can i see the debug output?

in switches we use terminal monitor.

Also how can i stop debugging ?

Regards

Mahesh

vlad.mihailov · ‎09-10-2013

If you are logged in to the WLC over SSH you don't need the "terminal monitor" - just "debug ... ". To disable you can use wither "debug aaa events disable" or "debug disable-all". Also debug will stop if you exit ssh session.

As usually whith debug be careful not to over-stress your terminal sessions.

George Stefanick · ‎09-10-2013

I world think idle timeout would kick in delet the client record along with the pmk ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎09-10-2013

Along with Vlads comment I would do a client debug leave the network and come back back on .. Post the log

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

mahesh18 · ‎09-10-2013

Debug client alone does not work.

should i use some options?

vlad.mihailov · ‎09-10-2013

Yes I think so too. Session should time out and get cleared from the WLC along with all its attribute. That is my understanding..