Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Longer session timeout

Hello,

We are using web-auth with a Radius server.

We need to increase the Session timeout to 30 days so that the clients need to re-authenticate after 30 days.

The maximum on our WLC 5500 is 65535 seconds (=18 hours).

How can we extend it to 30 days?

Thank you!

Val

18 REPLIES

Longer session timeout

Hello ,

You can assign a value only between 300 and 86400 seconds to specify the duration of the client session.

New Member

Longer session timeout

We are running version 7.5.102.0

Under WLANs tab, under a specific SSID, under Advanced, the actual maximum time under 'Enable Session Timeout' is 65535 seconds (which is 18 hours).

Hall of Fame Super Silver

Re: Longer session timeout

You can also v7.5 which has the sleep client feature. This allows you to have a client stay logged in for up to 720 hours or 30 days. This would be located in the WLAN under the advanced tab.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Longer session timeout

Maybe I'm missing something.. Why so long ? Session timeout starts when a client connects. Once they disconnect and reconnect the session timer starts over. Do you expect clients to stay attached for 30 days without disconnecting. The main reason for session timeout is to rekey or break users off the guest and have them reauth. But again, session starts when the client connects ..



Sent from Cisco Technical Support iPad App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Longer session timeout

Thank you Scott!

We are running version 7.5.102.0

I couldn't find that sleep client feature under Advanced tab of a particular SSID, what is exactly called?

Like George says, we basically want to authenticate users one time so they don't have to authenticate again in 30 days (to make it easier for them).

Longer session timeout

Hi Val,

Im afraid this isnt supported.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Silver

Re: Longer session timeout

Val,

Like George mentioned, session timer is for the overall session. You need to understand what each timer does, the session timer, the idle timer and sleeping client, if you are on v7.5.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Re: Longer session timeout

Val exactly what are you trying to achieve. My guess and it's only a guess is that you want to have a guest login one time and not have to login again for 30 days ? If my guess is right and if this is what you are trying to do. It's not supported ..

Sent from Cisco Technical Support iPad App

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Longer session timeout

Thank you George!

Your guess was right, we want to make it easier for our users. These are not guest users, but registered students/staff.

Basically they autheticate via a Radius server which passes on authetication to our AD\domain users.

What options do we have?

Re: Longer session timeout

I would remove the web-auth. You mentioned this in your first post. Web-auth means there is some interaction with a web screen. This is normally used for guest.

Create a simple WLAN and use EAP. Thats really it.. On the client side when you configure the supplicant, check box automatically connect (Windows). Or on a iDevice make sure "ask to join networks" is off.

Make sense?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Longer session timeout

Ok, so we can configure EAP instead with a LDAP authentication back-end.

But how would the client be forced to re-authenticate every 30 days in that case?

Longer session timeout

Well EAP is specific to radius. What are you using for radius today ?

As for re-auth. Each time the user enters the network the device will reauth automatically. It has to reauth each time. There is no way around that. But since your profile is built the user wont have to intervene.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Longer session timeout

We use Microsoft's Netowrk Policy Server (NPS version 6) as a Radius server.

Can we not eliminate the Radius server and use an LDAP authentication directly?

Longer session timeout

While you can with local EAP on the controller there are limitations.

See this link

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#deta

Sounds like we have 2 items of interest. Radius and your 30 day auth.

Lets put the 30 day auth to rest. Each and everytime you come onto the network you have to auth. There is no way around this. If you configure a wireless client supplicant you can have this auto connect for the user.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Hall of Fame Super Gold

Longer session timeout

We use Microsoft's Netowrk Policy Server (NPS version 6) as a Radius server.

Are you using MS Group Policy?  If this is so, then you will run into problems during the 30-day mark where you may have to force each client to update GP using the command "gpupdate /force".

Hall of Fame Super Silver

Longer session timeout

Here is the thing... you have student's but are the devices they are using, domain computers or are the personal computers?  If they are personal computers, it probably best to use webauth and authenticate back to AD using a radius server (NPS).  This way there is a captive portal page in which they login using their AD credentials and your done.  Using EAP is generally for the staff in which they have domain computers and you can push our a GPO to configure the wireless policy.  If the students use domain computers and you don't allow personal, then 802.1x PEAP is the way to go or you can use machine authentication since they are your devices.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Longer session timeout

You can use the command “config wlan session-timeout wlan_id timeout” and check the maximum session timer supported.

Hall of Fame Super Silver

Re: Longer session timeout

Sleeping client is supported on the 2504 as I have it setup at home. It's under the WLAN layer 3 tab. See the screen shot.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
316
Views
0
Helpful
18
Replies
CreatePlease to create content