My client would like to setup an environment that the user do not need to re-authenticate within 12 hours, even the user's PC switched off or restarted within this preiod, my client is using Web Auth + IAS radius authentication, thanks for your help!
I agree with Nicholas, but I don't think that will work if devices are shut down or restarted. I say this, because when I test different web authentications when customizing the splash page, I usually disable or restart the wireless card in order to be able to get the login screen again. Even with an iPhone or iPad, if you turn off the wireless and turn it on again, you will get the login page.
Idle timeout is going to be the kicker here (or whatever task is removing a client entry from the wlc database)
Bottom line: as long as a client entry is not removed from the WLC, it should not have to re web-auth.
Session timeout is a hard stop, so yes you could limit the session timeout to 12 hours and that answers half the equation. The other problem is that the WLC will "remove" a client by default after 5 minutes of an AP not hearing from the client. So a client who is shut down, or in power-save (no wireless packets), will be deauthenticated after the idle timeout period.
Some people like to increase the idle timeout..... but thats more of a workaround for an unusual request.
If your client is being forced to re-authenticate with web-auth and you dont think it is supposed to, I'd run a "debug client " and figure out WHY the WLC removed the client in the first place.
Idle user timeout hasnt worked for me in this exmaple. By this I mean, if I have a guest client and he accepts the splash page when he disconects and then reconnects to guest, he gets the splash page again.
Is it suppose to work that way?
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
If you gently disconnect your client from the SSID, the client sends a deauthenticate frame. The WLC deletes the client entry no matter what timeout you configured.
When the client reconnects, it's a new client entry so you get the splash page agian.
The user idle timeout is when you brutally shut down your laptop, or move away, so no deauthenticate frame was sent the client just goes silent. The idle timeout defines how long the WLC waits before deleting the client entry when it's not hearing AT ALL a single frame from the client.
Maybe I'm wrong here.... but I'm pretty sure the AP/WLC doesn't even listen to Deauths from a client (that would subject clients to a DoS if we did, right?). For some reason I want to say we will not listen to a deauth from "the client"...
In the "past", there was a bug with Idle Timeout where we were removing clients after maximum retransmissions to the Client, but that has been corrected. So as far as I know, you should only see a client removed from the WLC because of a timeout incident or it roaming to another WLC (L2).
George, in your example:
If a client isn't in a webauth_reqd state, they shouldn't have to web authenticate.
If your client is disconnecting and reconnecting and going to a webauth_reqd state, that would imply the client state was removed from the wlc..... simple client debug would tell you what really happened.
Hi Everyone, thanks for your reply, i am pretty sure what i am setting on idle timeout and session timeout
the web authentication will indicate the re-authentication, after the PC send out a de-authenticate packet to AP/WLC when it change state to shutdown or standby, but this is not sure, I need to use the debugger to find out the root cause.
I tired to change it to use WPA2 with 802.1X, override AAA option is checked, idle timeout and session timeout is configured in Windows IAS server, but still no luck, i will go the try the debugger to see the whole story of the client PC first, anyway thanks all!~ you gave me big support here~
I`d like to ask you about the issue with WLC firmware 7.5. We have Guest access and I turn off all the timers (i know it is not recommended). Once client confirms the web page (no username and pass is needed, web passthrough is set up), he can access the network and I can see him under Clients on the WLC. But the issue is, once the device asleep and user wakes it up, the legal notice appears again and he needs to confirm it again. On the other sites, where are older versions of WLC (7.4 or 7.3) we don`t have this issue. I found out, there is a new menu "Sleeping clients" and also I read about the policy, where I can setup separate timer for sleeping clients, but my understanding is, that is only if I`d like to use different timers for sleeping clients ... Is there any known bug, or do I need to setup something differently than on the older versions of WLC?
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...