Longer session timeout

CapUcisco · ‎09-03-2013

Hello,

We are using web-auth with a Radius server.

We need to increase the Session timeout to 30 days so that the clients need to re-authenticate after 30 days.

The maximum on our WLC 5500 is 65535 seconds (=18 hours).

How can we extend it to 30 days?

Thank you!

Val

Saurav Lodh · ‎09-04-2013

Hello ,

You can assign a value only between 300 and 86400 seconds to specify the duration of the client session.

CapUcisco · ‎09-04-2013

We are running version 7.5.102.0

Under WLANs tab, under a specific SSID, under Advanced, the actual maximum time under 'Enable Session Timeout' is 65535 seconds (which is 18 hours).

Scott Fella · ‎09-04-2013

You can also v7.5 which has the sleep client feature. This allows you to have a client stay logged in for up to 720 hours or 30 days. This would be located in the WLAN under the advanced tab.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎09-04-2013

Maybe I'm missing something.. Why so long ? Session timeout starts when a client connects. Once they disconnect and reconnect the session timer starts over. Do you expect clients to stay attached for 30 days without disconnecting. The main reason for session timeout is to rekey or break users off the guest and have them reauth. But again, session starts when the client connects ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

CapUcisco · ‎09-04-2013

Thank you Scott!

We are running version 7.5.102.0

I couldn't find that sleep client feature under Advanced tab of a particular SSID, what is exactly called?

Like George says, we basically want to authenticate users one time so they don't have to authenticate again in 30 days (to make it easier for them).

George Stefanick · ‎09-04-2013

Hi Val,

Im afraid this isnt supported.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎09-04-2013

Val,

Like George mentioned, session timer is for the overall session. You need to understand what each timer does, the session timer, the idle timer and sleeping client, if you are on v7.5.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎09-04-2013

Val exactly what are you trying to achieve. My guess and it's only a guess is that you want to have a guest login one time and not have to login again for 30 days ? If my guess is right and if this is what you are trying to do. It's not supported ..

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

CapUcisco · ‎09-04-2013

Thank you George!

Your guess was right, we want to make it easier for our users. These are not guest users, but registered students/staff.

Basically they autheticate via a Radius server which passes on authetication to our AD\domain users.

What options do we have?

George Stefanick · ‎09-04-2013

I would remove the web-auth. You mentioned this in your first post. Web-auth means there is some interaction with a web screen. This is normally used for guest.

Create a simple WLAN and use EAP. Thats really it.. On the client side when you configure the supplicant, check box automatically connect (Windows). Or on a iDevice make sure "ask to join networks" is off.

Make sense?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

CapUcisco · ‎09-04-2013

Ok, so we can configure EAP instead with a LDAP authentication back-end.

But how would the client be forced to re-authenticate every 30 days in that case?

George Stefanick · ‎09-04-2013

Well EAP is specific to radius. What are you using for radius today ?

As for re-auth. Each time the user enters the network the device will reauth automatically. It has to reauth each time. There is no way around that. But since your profile is built the user wont have to intervene.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

CapUcisco · ‎09-04-2013

We use Microsoft's Netowrk Policy Server (NPS version 6) as a Radius server.

Can we not eliminate the Radius server and use an LDAP authentication directly?

George Stefanick · ‎09-04-2013

While you can with local EAP on the controller there are limitations.

See this link

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#deta

Sounds like we have 2 items of interest. Radius and your 30 day auth.

Lets put the 30 day auth to rest. Each and everytime you come onto the network you have to auth. There is no way around this. If you configure a wireless client supplicant you can have this auto connect for the user.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________