Hi Folks, We've had a number of reports from our Service Desk (who create the guest accounts for us) that they've been getting users who have long-term accounts (90days) expire early.
I've taken a look at the settings and sure enough, today there are accounts on WCS that are showing as expired but have a long life time.
User(x) created on 13th July with an expiry of the 15th Sept
User(y) created on 12th July with an expiry of the 12th Oct
This is only a couple listed here but the problem seems to be widespread accross long-life accounts. I've checked the clocks and they're all synced between WCS and the WLC's, when accounts are created they are done through WCS and pushed down to the single mobility anchor (our topology is 6 WLC's split over 2 sites, with a 7th WLC for MA with a toe in the internet DMZ)
We're running 18.104.22.168 of WCS and 22.214.171.124 on all the WLC's I think the problem has started to occur as it's really only now that we're using longer life-time accounts in anger.
Originally the accounts were being deleted by the cleaner process, so it just looked like the accounts were disappearing - we've stopped this and now it just shows that they expire.
Any suggestions that you can give as to why this might be occuring would be great! Unfortunaly we can't create 'unlimited' accounts as our policy is that they should have a lifetime of no more than 3 months, so the overhead on monitoring would be too big - so there has to be an automated process.
Hi Tim, I forgot all about this thread (have been on holiday). It looks like 30 days is the longest time period that you can set an account. Despite WCS allowing you to set accounts with a huge lifetime, when it gets pushed down to the WLC, the WLC max-lifetime kicks in at 30 days. (to verify this I logged into the VTY and tried to configure a guest account and the largest you can get is 30 days). So, it looks like we need to purchase some identity management tech to get over that one. Hope that helps Kev
TAC update: CSCtt17518 will be fixed. The fix is to extend that life of the guest user to beyond the 30 day limit that the controller currently has. So that fix is in the controller code. The WCS code will also need to be fixed to allow guest users to be able to be pushed to the controller with a life longer than 30 days. At this time it looks like both fixes will be in 7.0MR3 and 7.2. Since 7.0MR2 is scheduled to come out within a week or two and 7.0MR3 will not be available until at least Feb. 2012
I upgraded to WLC 126.96.36.199 and WCS 188.8.131.52 and am still getting users complaining about their accounts expiring early. Someone please correct me if I have misread something but the WCS is suppose to check the account every so often and re-provision the account based on the expire date set? We setup our users with 90day accounts that is pushed to two 5508 controllers running the code above, the process works well but the expiration of accounts has become a issue. Anyone know if the bug was truly fixed in 7.0.235 code or do I need to set the lifetime of the account lower.
I've confirmed the new code is provisioning account correctly now for periods longer than 30 days. Accounts that were provisioned prior to the code upgrade were set to 30 days because of the previous bug but once your provision a new user it applies the correct lifetime to the account.