The cli command "config network usertimeout <seconds>" (in conjunction with
the session timeout setting on the WLAN) allows you to "preserve" the web
authenticated session even when the users has disassociated from the Web
Auth enabled WLAN.
Regards
Andrew
-----Original Message-----
From: Kristján Ólafur Eðvarðsson
Sent: Wednesday, July 25, 2012 1:05 AM
To: [email protected]
Subject: [OSL | CCIE_Wireless] Web authentication timeout
I would like to add to this. When a client "leaves" or disassociates. The
WLC removes
it correctly from the table. If it wouldn´t it would be a security risk and
increase the chance
of session spoofing. So I heard that Cisco doesn´t support any caching of
the clients because of this.
For example with web-auth , there is no workaround. That's what I have heard
many of my customers asking about.
I have had one customer requirement where staff with smartphones or tablets
need webmail
access at all times on a webauth WLAN. The solution was to create an
pre-authentication access
list that would allow this one webpage (webmail) to work without webauth.
regards, Kristjan
----------------------------------------------------------------------
Message: 1
Date: Mon, 23 Jul 2012 20:42:22 +0300
From: Manolo Encelan <[email protected]>
To: Jason Boyers <[email protected]>, Oliver Jancevski
<[email protected]>
Cc: "[email protected]"
<[email protected]>
Subject: Re: [OSL | CCIE_Wireless] Web authentication timeout
Message-ID:
<0905cf989eac444b9d038c92b3f7c26b513b62d...@btasex07.btalsaudia.com.sa>
Content-Type: text/plain; charset="us-ascii"
Hi Jason,
Thanks a lot for the info. I've already set the User Idle Timeout to
further prolong the connection of the client to the network. Yes you are
correct normally a 1 client could have at least 3 devices connected to a
network (laptop, smartphone and tablet) and this could really increase the
max out of the client on the WLC. Bigger Problem! We will monitor our new
setup and also inform the users about this.
Cheers,
________________________________________
From: Jason Boyers [[email protected]]
Sent: Sunday, July 22, 2012 8:39 PM
To: Oliver Jancevski
Cc: Manolo Encelan; [email protected]
Subject: Re: [OSL | CCIE_Wireless] Web authentication timeout
Technically, the User Idle Timeout applies to all users. So, by default, if
a MAC address doesn't send traffic for 300 seconds, that device is removed
from the Client list and would require a reauthentication when reconnecting.
You can increase that timeout to try to cover the scenario you are
describing. There are 2 things to keep in mind eith this. The longer the
timeout value, the more clients are held in the list. So, you increase the
risk that you will max out on clients for the WLC. Second, iPads (and
possibly iPhones) send an active deauthentication when they go to sleep or
hibernate. So, they will be removed.
As Oliver said, there is also the WLAN Session timeout, which requires a
reauthentication at the timeout value. So, adjust that value to also be
greater than the expected time that the clients will not be on the network.
This value is for all authentication types, but Open simply continues as is,
while PSK will negotiate a new PTK at that time (without client
intervention.)
Jason Boyers
On Jul 22, 2012 11:03 AM, "Oliver Jancevski"
<[email protected]<mailto:[email protected]>> wrote:
First, I took liberty to change the subject ;-)
Depending what kind of authentication you are using for guest access, there
are following timers on the WLC itself that you can increase:
1. Open/PSK - User Idle Timeout - (Contoller>General). Default is 5min
2. EAP - Session Timeout - (WLAN>Advanced). Default it 30min. In this case
the shorter of two takes presedence.
Aditionally if adding guest user on the WLC verify Guest Account timeout, or
specific EAP timer on the AAA server.
Regards,
Oliver
--- On Sun, 7/22/12, Manolo Encelan
<[email protected]<mailto:[email protected]>> wrote:
From: Manolo Encelan
<[email protected]<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Wireless] AAA override and HREAP
To: "Victor Platov (viplatov)"
<[email protected]<mailto:[email protected]>>, "Anton L. Vinokurov"
<[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Received: Sunday, July 22, 2012, 7:40 AM
Hi all,
Got a quick question regarding the authentication of a user to WLC using the
web authentication.
Scenario: Using smartphone, customer already connected to the network.
After going out for a while and leave the network user will be again asked
to re-insert his username and password.
Do we have a way to make the smartphone reconnect to the network without the
authentication again like a normal laptop? Tried several times with
iphones, samsung and blackberry with NO luck. Tried to check the controller
if we can tweak.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com<http://www.ipexpert.com>
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
------------------------------
_______________________________________________
CCIE_Wireless mailing list
[email protected]
http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless
End of CCIE_Wireless Digest, Vol 39, Issue 10
*********************************************
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
