Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco WLC Re-authentication timeout

My client would like to setup an environment that the user do not need to re-authenticate within 12 hours, even the user's PC switched off or restarted within this preiod, my client is using Web Auth + IAS radius authentication, thanks for your help!

Cisco Employee

Cisco WLC Re-authentication timeout

You can set the session timeout up to 24 hours. That's the max and webauth users will have no other option than re-login every day.

If you want a guest PC to stay connected for longer periods, I doubt that the guest portal solution is the best for your use case.

Hall of Fame Super Silver

Cisco WLC Re-authentication timeout

I agree with Nicholas, but I don't think that will work if devices are shut down or restarted.  I say this, because when I test different web authentications when customizing the splash page, I usually disable or restart the wireless card in order to be able to get the login screen again.  Even with an iPhone or iPad, if you turn off the wireless and turn it on again, you will get the login page.

*** Please rate helpful posts ***

Re: Cisco WLC Re-authentication timeout

Idle timeout is going to be the kicker here (or whatever task is removing a client entry from the wlc database)

Bottom line: as long as a client entry is not removed from the WLC, it should not have to re web-auth.

Session timeout is a hard stop, so yes you could limit the session timeout to 12 hours and that answers half the equation. The other problem is that the WLC will "remove" a client by default after 5 minutes of an AP not hearing from the client. So a client who is shut down, or in power-save (no wireless packets), will be deauthenticated after the idle timeout period.

Some people like to increase the idle timeout..... but thats more of a workaround for an unusual request.

If your client is being forced to re-authenticate with web-auth and you dont think it is supposed to,  I'd run a "debug client "  and figure out WHY the WLC removed the client in the first place.

Re: Cisco WLC Re-authentication timeout

Idle user timeout hasnt worked for me in this exmaple. By this I mean, if I have a guest client and he accepts the splash page when he disconects and then reconnects to guest, he gets the splash page again.

Is it suppose to work that way?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
Cisco Employee

Re: Cisco WLC Re-authentication timeout

If you gently disconnect  your client from the SSID, the client sends a deauthenticate frame. The WLC deletes the client entry no matter what timeout you configured.

When the client reconnects, it's a new client entry so you get the splash page agian.

The user idle timeout is when you brutally shut down your laptop, or move away, so no deauthenticate frame was sent the client just goes silent. The idle timeout defines how long the WLC waits before deleting the client entry when it's not hearing AT ALL a single frame from the client.

Hope it clarifies :-)


Re: Cisco WLC Re-authentication timeout

Maybe I'm wrong here.... but I'm pretty sure the AP/WLC doesn't even listen to Deauths from a client (that would subject clients to a DoS if we did, right?). For some reason I want to say we will not listen to a deauth from "the client"...

In the "past", there was a bug with Idle Timeout where we were removing clients after maximum retransmissions to the Client, but that has been corrected. So as far as I know,  you should only see a client removed from the WLC because of a timeout incident or it roaming to another WLC (L2).

George, in your example:

If a client isn't in a webauth_reqd state, they shouldn't have to web authenticate.

If your client is disconnecting and reconnecting and going to a webauth_reqd state,  that would imply the client state was removed from the wlc.....    simple client debug would tell you what really happened.

New Member

Re: Cisco WLC Re-authentication timeout

Hi Everyone, thanks for your reply, i am pretty sure what i am setting on idle timeout and session timeout

the web authentication will indicate the re-authentication, after the PC send out a de-authenticate packet to AP/WLC when it change state to shutdown or standby, but this is not sure, I need to use the debugger to find out the root cause.

I tired to change it to use WPA2 with 802.1X, override AAA option is checked, idle timeout and session timeout is configured in Windows IAS server, but still no luck, i will go the try the debugger to see the whole story of the client PC first, anyway thanks all!~ you gave me big support here~

New Member

Re: Cisco WLC Re-authentication timeout

Hello All,

I`d like to ask you about the issue with WLC firmware 7.5. We have Guest access and I turn off all the timers (i know it is not recommended). Once client confirms the web page (no username and pass is needed, web passthrough is set up), he can access the network and I can see him under Clients on the WLC. But the issue is, once the device asleep and user wakes it up, the legal notice appears again and he needs to confirm it again. On the other sites, where are older versions of WLC (7.4 or 7.3) we don`t have this issue. I found out, there is a new menu "Sleeping clients" and also I read about the policy, where I can setup separate timer for sleeping clients, but my understanding is, that is only if I`d like to use different timers for sleeping clients ... Is there any known bug, or do I need to setup something differently than on the older versions of WLC?

Thanks for advice.

Pavol Jasurek

CreatePlease login to create content