Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WLAN Controlle WEB AUTH, when is the session re-verified after initial authentication?

I am planning to use Web Authentication (With External Server) on Cisco WLAN controller.

Unfortunately, I still do not have one with which I can experiment, and cannot find the following info in the documentation.

After a user authenticates successfully first time, when is authentication performed again?

Is that periodic? Or maybe specified in the Access-Accept message?

Thanks for your help. 

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: WLAN Controlle WEB AUTH, when is the session re-verified aft

I don't think anything is done in the background/transparant when the session timeout occurs.

If radius sends you a Session Timeout of 30 minutes, then at 30 minutes the WLC puts the client in a Web Auth Required state again. At which point, they will have to open Internet Browser and send the credentials again (manual process).

The session timeout is a hard-stop to force reauthentication....

The access-request/access-accepts  (as far as I know) are only for the full authentication.

6 REPLIES

Re: WLAN Controlle WEB AUTH, when is the session re-verified aft

There is a session timeout in the WLAN definition.  When the client hits that timeout, they will need to go back to the web page and re-auth.  I don't believe the user is notified in any way that they have hit the session timeout, and they are not disconnected from the wireless.  They just can't do anything on the network (except DNS resolution) until they revisit the web-auth page.

I believe that they will also have to reauth if they disconnect and then reconnect (for instance, if they reboot).

Silver

Re: WLAN Controlle WEB AUTH, when is the session re-verified aft

Just to add a little more to Robert's post:

Typically, guest users are browsing the internet at all times... So when the session timeout hits, they will be redirected the very next time they access an HTTP page. But if your guests are just doing IM or something, and not browsing the webpage, then they'll be down solid until they open a web browser again.

As for rebooting....

As long as the client re-associates again before the WLC Idle Timeout (typically 5 minutes), the next association would be treated more like a ROAM. I would not expect the client to reauthenticate with webauth untill they have been deauthenticated by either Idle Timeout or Session Timeout...   If the user somehow notifies us of the disconnection and we deauth the client, then yes, it would have to re-auth at next association...  

New Member

Re: WLAN Controlle WEB AUTH, when is the session re-verified aft

Thanks Terry.

And please let me know if my interpretation is correct:

- Suppose that I specify a Timeout (attr 27) in the Radius Access-Accept , together with Termination-Action (attr 29) set to "Radius request".

- After Timeout elapses, the Controller sends another Access-Request to the Radius server, transparently for the user.

- If the Radius server considers that the user is still authorized, an Access-Accept is sent back.

- Otherwise, Access-Reject is sent and the Controller starts to redirect HTTP requests and drop other kinds of traffic.

Silver

Re: WLAN Controlle WEB AUTH, when is the session re-verified aft

I don't think anything is done in the background/transparant when the session timeout occurs.

If radius sends you a Session Timeout of 30 minutes, then at 30 minutes the WLC puts the client in a Web Auth Required state again. At which point, they will have to open Internet Browser and send the credentials again (manual process).

The session timeout is a hard-stop to force reauthentication....

The access-request/access-accepts  (as far as I know) are only for the full authentication.

Re: WLAN Controlle WEB AUTH, when is the session re-verified aft

Very good points!  Guest users I deal with are mostly creating VPN connections back to their companies, so we made our session timeout last a little longer than the typical business day.

New Member

Re: WLAN Controlle WEB AUTH, when is the session re-verified aft

Thanks Robert.

I read the reply posted after yours, which is a bit different and more flexible: HTTP traffic is again redirected, all other traffic dropped (except possibly DNS).

514
Views
0
Helpful
6
Replies
CreatePlease to create content