I would like to add to this. When a client "leaves" or disassociates. The WLC removes it correctly from the table. If it wouldn´t it would be a security risk and increase the chance of session spoofing. So I heard that Cisco doesn´t support any caching of the clients because of this. For example with web-auth , there is no workaround. That's what I have heard many of my customers asking about.
I have had one customer requirement where staff with smartphones or tablets need webmail access at all times on a webauth WLAN. The solution was to create an pre-authentication access list that would allow this one webpage (webmail) to work without webauth. regards, Kristjan ---------------------------------------------------------------------- Message: 1 Date: Mon, 23 Jul 2012 20:42:22 +0300 From: Manolo Encelan <[email protected]> To: Jason Boyers <[email protected]>, Oliver Jancevski <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [OSL | CCIE_Wireless] Web authentication timeout Message-ID: <0905cf989eac444b9d038c92b3f7c26b513b62d...@btasex07.btalsaudia.com.sa> Content-Type: text/plain; charset="us-ascii" Hi Jason, Thanks a lot for the info. I've already set the User Idle Timeout to further prolong the connection of the client to the network. Yes you are correct normally a 1 client could have at least 3 devices connected to a network (laptop, smartphone and tablet) and this could really increase the max out of the client on the WLC. Bigger Problem! We will monitor our new setup and also inform the users about this. Cheers, ________________________________________ From: Jason Boyers [[email protected]] Sent: Sunday, July 22, 2012 8:39 PM To: Oliver Jancevski Cc: Manolo Encelan; [email protected] Subject: Re: [OSL | CCIE_Wireless] Web authentication timeout Technically, the User Idle Timeout applies to all users. So, by default, if a MAC address doesn't send traffic for 300 seconds, that device is removed from the Client list and would require a reauthentication when reconnecting. You can increase that timeout to try to cover the scenario you are describing. There are 2 things to keep in mind eith this. The longer the timeout value, the more clients are held in the list. So, you increase the risk that you will max out on clients for the WLC. Second, iPads (and possibly iPhones) send an active deauthentication when they go to sleep or hibernate. So, they will be removed. As Oliver said, there is also the WLAN Session timeout, which requires a reauthentication at the timeout value. So, adjust that value to also be greater than the expected time that the clients will not be on the network. This value is for all authentication types, but Open simply continues as is, while PSK will negotiate a new PTK at that time (without client intervention.) Jason Boyers On Jul 22, 2012 11:03 AM, "Oliver Jancevski" <[email protected]<mailto:[email protected]>> wrote: First, I took liberty to change the subject ;-) Depending what kind of authentication you are using for guest access, there are following timers on the WLC itself that you can increase: 1. Open/PSK - User Idle Timeout - (Contoller>General). Default is 5min 2. EAP - Session Timeout - (WLAN>Advanced). Default it 30min. In this case the shorter of two takes presedence. Aditionally if adding guest user on the WLC verify Guest Account timeout, or specific EAP timer on the AAA server. Regards, Oliver --- On Sun, 7/22/12, Manolo Encelan <[email protected]<mailto:[email protected]>> wrote: From: Manolo Encelan <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Wireless] AAA override and HREAP To: "Victor Platov (viplatov)" <[email protected]<mailto:[email protected]>>, "Anton L. Vinokurov" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Received: Sunday, July 22, 2012, 7:40 AM Hi all, Got a quick question regarding the authentication of a user to WLC using the web authentication. Scenario: Using smartphone, customer already connected to the network. After going out for a while and leave the network user will be again asked to re-insert his username and password. Do we have a way to make the smartphone reconnect to the network without the authentication again like a normal laptop? Tried several times with iphones, samsung and blackberry with NO luck. Tried to check the controller if we can tweak. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 39, Issue 10 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
