Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

wlc 5500 authentication timeout

I have a WLC 5500 controller. I have two WLANS (OBSD-Internal and OBSD-BYOD). I have authentication setup to the WLC for the BYOD WLAN using LDAP (users connect with an AD user account). They are required to re authenticate every few minutes. This only happens on the BYOD WLAN (not Internal)                  

  • Other Wireless - Mobility Subjects
16 REPLIES
New Member

wlc 5500 authentication timeout

On the WLAN > ADVANCED Tab what is the Enable session timout set to ?

VIP Purple

wlc 5500 authentication timeout

HI Sean,

You can set the session timeout up to 24 hours but I don't think that will work if devices are shut down or restarted.

Note: If clients are  active after successful login, they will get de-authenticated and entry  can still be removed from the controller after the session timeout  period configured on that WLAN (for example,1800 seconds by default and  can be changed using this CLI command: config wlan session-timeout ).  When this occurs, client entry is removed from the controller. If the  client associates again, it will move back in a Webauth_Reqd state.

By GUI:

WLANs > WLAN ID > Advanced > Enable Session Timeout. and set the value.

------

Just for info:

In the newer code, there is a mac filter bypass option that lets you put a MAC address in that you want to bypass the WebAuth page. These devices will not have to authenticate at all to the WebAuth.

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_wlan.html#wp1460408

Regards

Dont forget to rate helpful posts

Hall of Fame Super Silver

Re: wlc 5500 authentication timeout

Sean,

Can you post the show WLAN

Sent from Cisco Technical Support iPhone App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: wlc 5500 authentication timeout

Scott-

Here are the results of the sho WLAN cmd:


(Cisco Controller) >show wlan 3


WLAN Identifier.................................. 3
Profile Name..................................... OBSD BYOD
Network Name (SSID).............................. OBSD-BYOD
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 25
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ g9c-guest
Multicast Interface.............................. Not Configured

--More-- or (q)uit
WLAN ACL......................................... Guest WiFi Internet Only
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers

--More-- or (q)uit
   Accounting.................................... Global Servers
   Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Enabled
ACL............................................. Web Auth
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   H-REAP Local Switching........................ Disabled
   H-REAP Local Authentication................... Disabled
   H-REAP Learn IP Address....................... Enabled

--More-- or (q)uit
   Client MFP.................................... Optional but inactive (WPA2 not configured)
   Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled

Mobility Anchor List
WLAN ID     IP Address            Status
-------     ---------------       ------

Hall of Fame Super Silver

Re: wlc 5500 authentication timeout

You must be on v7.0, 7.2 or 7.3.... make sure you set the idle timeout to 2-4 hours.  This will be located on the GUI under the Controller tab.

Thanks,


Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: wlc 5500 authentication timeout

Scott-

What I cannot figure out is the fact that this only occurs on that specific WLAN. I have another WLAN on that controller that I have no timeout issues with.

Sean

Hall of Fame Super Silver

Re: wlc 5500 authentication timeout

Idle timeout is specific to WebAuth only, not open, WEP, PSK or 802.1x.  Certain devices like Apple, will timeout with WebAuth when the device goes to sleep and then you have to login again.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
New Member

Re: wlc 5500 authentication timeout

That WLAN is for my BYOD traffic. Is there any security concern changing from WebAuth to PSK or 802.1x?

Hall of Fame Super Silver

wlc 5500 authentication timeout

Well if this is for guest, then yes.... you don't want to have to support guest users by changing encryption... WebAuth is the way to go, you just need to change the idle timer to account for these devices that drop off.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****
1045
Views
0
Helpful
16
Replies
This widget could not be displayed.