Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

External Web Authentication Roaming Question

Hello All,

In our environment we have deployed several access points,carrying several ssids. One of them,is dedicated for the Guests access. The guests have to authenticate using an external web authentication server. So far so good...!

My question is: When a guest user roams from one LAP to an adjacent LAP we have noticed that some times the user has to re-authenticate, meaning that the traffic is dropped (e.g skype/voip call). So, is this  something that can be tweaked on the WLC or is it a strictly the web server's decision?

 

Thanks

 

6 REPLIES

Hi Panagiotis,Roaming process

Hi Panagiotis,

Roaming process doesn't involve the external web server only the APs and the WLC.

The web server is used initially for client authentication and re authentication every time client's session is timed out.

Can you verify if there is proper coverage between the APs?

Does this problem occur only on Guests ssid and only between two specific APs?

What type of clients have this problem?Laptops,smartphones,tablets?

 

Regards

New Member

Hello Christos and thanks for

Hello Christos and thanks for answering.

It's actually occuring on a combination of devices and its all over the bldg.

The roaming works fine with 802.1x but not with the ext. web auth.

When talking about client session timeout, are you aware if (in general) the web server can also time-out the clients?

 

Thanks

No sure but in general WLC

No sure but in general WLC handles the session timeout.

Can you share the wlan config? "show wlan <id>"

Also the debug client output

Also the debug client output when problem appears would help to investigate the problem.

New Member

Hello Christos,here is the

Hello Christos,

here is the output:

 


WLAN Identifier.................................. 20
Profile Name..................................... xxxxxxxxxxxxxxxxxx
Network Name (SSID).............................. xxxxxxxxxxxxxxxxxx
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
  Client Profiling Status ....................... Disabled
   DHCP ......................................... Disabled
   HTTP ......................................... Disabled
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Maximum number of Clients per AP Radio........... 200
Number of Active Clients......................... 19
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 3600 seconds
User Idle Timeout................................ 300 seconds

--More-- or (q)uit
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... WISM2
CHD per WLAN..................................... Disabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ xxxxxxxx
Multicast Interface.............................. Not Configured
WLAN IPv4 ACL.................................... unconfigured
WLAN IPv6 ACL.................................... unconfigured
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
Static IP client tunneling....................... Disabled
PMIPv6 Mobility Type............................. none
Quality of Service............................... Silver
Per-SSID Rate Limits............................. Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Per-Client Rate Limits........................... Upstream      Downstream
Average Data Rate................................   0             0
Average Realtime Data Rate.......................   0             0

--More-- or (q)uit
Burst Data Rate..................................   0             0
Burst Realtime Data Rate.........................   0             0
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Drop
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan

--More-- or (q)uit
Local EAP Authentication......................... Disabled
Security

   802.11 Authentication:........................ Open System
   FT Support.................................... Disabled
   Static WEP Keys............................... Disabled
   802.1X........................................ Disabled
   Wi-Fi Protected Access (WPA/WPA2)............. Disabled
   WAPI.......................................... Disabled
   Wi-Fi Direct policy configured................ Disabled
   EAP-Passthrough............................... Disabled
   CKIP ......................................... Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
   Conditional Web Redirect...................... Disabled
   Splash-Page Web Redirect...................... Disabled
   Auto Anchor................................... Disabled
   FlexConnect Local Switching................... Disabled
   flexconnect Central Dhcp Flag................. Disabled
   flexconnect nat-pat Flag...................... Disabled
   flexconnect Dns Override Flag................. Disabled
   FlexConnect Vlan based Central Switching ..... Disabled
   FlexConnect Local Authentication.............. Disabled

--More-- or (q)uit
   FlexConnect Learn IP Address.................. Enabled
   Client MFP.................................... Disabled
   PMF........................................... Disabled
   PMF Association Comeback Time................. 1
   PMF SA Query RetryTimeout..................... 200
   Tkip MIC Countermeasure Hold-down Timer....... 60
AVC Visibilty.................................... Enabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Disabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
KTS based CAC Policy............................. Disabled
Assisted Roaming Prediction Optimization......... Disabled
802.11k Neighbor List............................ Disabled
802.11k Neighbor List Dual Band.................. Disabled
Band Select...................................... Enabled
Load Balancing................................... Client-Count Based
Multicast Buffer................................. Disabled

 Mobility Anchor List
 WLAN ID     IP Address            Status

--More-- or (q)uit
 -------     ---------------       ------

802.11u........................................ Disabled

MSAP Services.................................. Disabled

New Member

Your session timeout is set

Your session timeout is set to 3600 seconds.  This will force them to re-authenticate to the guest wireless once an hour.  I recommend that you go to the WLAN configuration Advanced tab and change this to 86,400 to allow 24 hours between authentications.

John

142
Views
0
Helpful
6
Replies
CreatePlease login to create content