Thanks for the clarification Jason. Here is what the (WLC) Design and Features FAQ says: The User Idle Timeout: When a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is deauthenticated by the WLC. The client has to reauthenticate and reassociate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away. The Session Timeout is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. If you use an Extensible Authentication Protocol (EAP) method with key management, the rekeying occurs at every regular interval in order to derive a new encryption key. Without key management, this timeout value is the time that wireless clients need to do a full reauthentication. I am pulling back the my original suggestion as it was based on older version of this document where it said: The code has been changed for Controller version 4.0, where, if you configure a Layer 2 security with static Wired Equivalent Privacy (WEP), Cisco Key Integrity Protocol (CKIP), or Wi−Fi Protected Access (WPA1+WPA2) PSK, the controller automatically sets the session timeout to 0. Well this is no longer applicable – don’t know exactly when it changed but at least is not true in 7.0.116 Anyways from all above I would suggest User Idle Timeout is way to go, as WLAN Session Timeout applies to all associated clients whether active or not, while the User Idle Timeout only to inactive ones. Of course be aware of the potential issues Jason mentioned. --- On Sun, 7/22/12, Jason Boyers <[email protected]> wrote:
From: Jason Boyers <[email protected]> Subject: Re: [OSL | CCIE_Wireless] Web authentication timeout To: "Oliver Jancevski" <[email protected]> Cc: "Manolo Encelan" <[email protected]>, "[email protected]" <[email protected]> Received: Sunday, July 22, 2012, 1:39 PM Technically, the User Idle Timeout applies to all users. So, by default, if a MAC address doesn't send traffic for 300 seconds, that device is removed from the Client list and would require a reauthentication when reconnecting. You can increase that timeout to try to cover the scenario you are describing. There are 2 things to keep in mind eith this. The longer the timeout value, the more clients are held in the list. So, you increase the risk that you will max out on clients for the WLC. Second, iPads (and possibly iPhones) send an active deauthentication when they go to sleep or hibernate. So, they will be removed. As Oliver said, there is also the WLAN Session timeout, which requires a reauthentication at the timeout value. So, adjust that value to also be greater than the expected time that the clients will not be on the network. This value is for all authentication types, but Open simply continues as is, while PSK will negotiate a new PTK at that time (without client intervention.) Jason Boyers On Jul 22, 2012 11:03 AM, "Oliver Jancevski" <[email protected]> wrote: First, I took liberty to change the subject ;-) Depending what kind of authentication you are using for guest access, there are following timers on the WLC itself that you can increase: 1. Open/PSK - User Idle Timeout - (Contoller>General). Default is 5min 2. EAP - Session Timeout - (WLAN>Advanced). Default it 30min. In this case the shorter of two takes presedence. Aditionally if adding guest user on the WLC verify Guest Account timeout, or specific EAP timer on the AAA server. Regards, Oliver --- On Sun, 7/22/12, Manolo Encelan <[email protected]> wrote: From: Manolo Encelan <[email protected]> Subject: Re: [OSL | CCIE_Wireless] AAA override and HREAP To: "Victor Platov (viplatov)" <[email protected]>, "Anton L. Vinokurov" <[email protected]>, "[email protected]" <[email protected]> Received: Sunday, July 22, 2012, 7:40 AM Hi all, Got a quick question regarding the authentication of a user to WLC using the web authentication. Scenario: Using smartphone, customer already connected to the network. After going out for a while and leave the network user will be again asked to re-insert his username and password. Do we have a way to make the smartphone reconnect to the network without the authentication again like a normal laptop? Tried several times with iphones, samsung and blackberry with NO luck. Tried to check the controller if we can tweak. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
