Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4051
Views
0
Helpful
16
Replies

wlc 5500 authentication timeout

Sean McCoy
Level 1
Level 1

‎01-14-2014 04:29 PM - edited ‎07-04-2021 11:58 PM

I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)                  

Labels:
0 Helpful
16 Replies 16

matthew gosling
Level 1
Level 1

‎01-14-2014 08:40 PM

On the WLAN > ADVANCED Tab what is the Enable session timout set to ?

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎01-14-2014 10:36 PM

HI Sean,

You can set the session timeout up to 24 hours but I don't think that will work if devices are shut down or restarted.

Note: If clients are  active after successful login, they will get de-authenticated and entry  can still be removed from the controller after the session timeout  period configured on that WLAN (for example,1800 seconds by default and  can be changed using this CLI command: config wlan session-timeout ).  When this occurs, client entry is removed from the controller. If the  client associates again, it will move back in a Webauth_Reqd state.

By GUI:

WLANs > WLAN ID > Advanced > Enable Session Timeout. and set the value.

------

Just for info:

In the newer code, there is a mac filter bypass option that lets you put a MAC address in that you want to bypass the WebAuth page. These devices will not have to authenticate at all to the WebAuth.

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_wlan.html#wp1460408

Regards

Dont forget to rate helpful posts

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-15-2014 01:37 AM

Sean,

Can you post the show WLAN

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Sean McCoy
Level 1
Level 1
In response to Scott Fella

‎01-20-2014 07:42 AM

Scott-

Here are the results of the sho WLAN cmd:


(Cisco Controller) >show wlan 3


WLAN Identifier.................................. 3
Profile Name..................................... OBSD BYOD
Network Name (SSID).............................. OBSD-BYOD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 25
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ g9c-guest
Multicast Interface.............................. Not Configured

--More-- or (q)uit
WLAN ACL......................................... Guest WiFi Internet Only
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers

--More-- or (q)uit
   Accounting.................................... Global Servers
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Enabled
ACL............................................. Web Auth
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled

--More-- or (q)uit
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Sean McCoy

‎01-20-2014 08:02 AM

You must be on v7.0, 7.2 or 7.3.... make sure you set the idle timeout to 2-4 hours.  This will be located on the GUI under the Controller tab.

Thanks,


Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Sean McCoy
Level 1
Level 1
In response to Scott Fella

‎01-20-2014 08:16 AM

Scott-

What I cannot figure out is the fact that this only occurs on that specific WLAN. I have another WLAN on that controller that I have no timeout issues with.

Sean

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Sean McCoy

‎01-20-2014 08:18 AM

Idle timeout is specific to WebAuth only, not open, WEP, PSK or 802.1x.  Certain devices like Apple, will timeout with WebAuth when the device goes to sleep and then you have to login again.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Sean McCoy
Level 1
Level 1
In response to Scott Fella

‎01-20-2014 08:32 AM

That WLAN is for my BYOD traffic. Is there any security concern changing from WebAuth to PSK or 802.1x?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Sean McCoy

‎01-20-2014 09:46 AM

Well if this is for guest, then yes.... you don't want to have to support guest users by changing encryption... WebAuth is the way to go, you just need to change the idle timer to account for these devices that drop off.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Sean McCoy
Level 1
Level 1
In response to Scott Fella

‎01-20-2014 10:50 AM

So v7.1.91.0 should work or do I need to go to 7.2?

0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Sean McCoy

‎01-20-2014 11:00 AM

You can use either.....

Just for info:

The Cisco 3600 Access Point was introduced in 7.1.91.0. If your network deployment uses Cisco 3600 Access Points with release 7.1.91.0, its highly recommend that you upgrade to 7.2.103.0 or a later release.

Regards

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-20-2014 11:07 AM

Go with v7.4.110.0 if possible. There were some issue with 3600's on v7.2 or v7.3. Either way, v7.0 is Cisco's stable code but since the 3600's are not supported on that, the next real stable code is v7.4.x.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Sean McCoy
Level 1
Level 1
In response to Scott Fella

‎01-20-2014 11:09 AM

Do you need a contract on those to be able to get the upgraded code?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Sean McCoy

‎01-20-2014 11:12 AM

Yes you do.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card