Solved

Cisco wireless network - guest wlan seems to ask for reauthentication too often

Posted on 2016-11-16
12
38 Views
Last Modified: 2016-11-28
We have three Cisco 5508 wireless controllers managing 75 lightweight access points and 4 WLANS.  We have a guest wlan that has Webpolicy and passthrough used on layer 3 as shown:
passthrough
Also, if I go to the advanced tab, timeout is not enabled as shown:
Timeout
Users have been telling me that the guest session asks them to accept the web based agreement less than an hour later and it doesn't seem to matter where they are on campus.  We have more than adequate coverage in the building with no known deadspots.  In fact, some users that have informed IT of this are people who stay pretty static.

Is there another place to specify where the guest wireless times out and requires another acceptance of the web based use agreement?
0
Comment
Question by:Steve Bantz
12 Comments
 
LVL 3

Expert Comment

by:Winsoup
ID: 41890330
Under the "Controller" tab, there is a "User Idle Timeout" which is set to 300 seconds by default so if they're not active for more than 5 minutes it will time out on them.
0
 

Author Comment

by:Steve Bantz
ID: 41890391
I checked that and we have 86400 seconds in that field.

We just discovered a common denominator after researching it more.  It started happening about 3 months ago and only affects iPhones and iPads.  Every device we checked has ios 10 on it, which came out a few months ago.  I am thinking there is a quirk with ios10 and it doesn't like something about our wifi here.  I have read that forgetting the network and rejoining seems to fix it and someone else said disabling WMM on the wlan, but I hate to do that if I can avoid it.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41890403
If you're roaming between APs connected to different WLCs you'll have to reauth on the WLC you just connected to. They won't share auth session info.  This is probably what's happening.
0
 
LVL 3

Expert Comment

by:Winsoup
ID: 41890562
You may be on to something...It could just be an iPhone/iPad thing. When they go to sleep it disables the radios on them.

I'm going to test with my controller and iPhone to see if we get the same results. That should help our troubleshooting process.
0
 
LVL 3

Expert Comment

by:Winsoup
ID: 41891547
So what I found while doing this is that if I have credentials entered for another WiFi network and then connect to Guest Wireless it will disconnect me from guest wifi after the phone goes to sleep. But once I forget all other networks and then connect to guest wireless it kept me connected and also automatically connected when I came in this morning.
Very strange but seems like more of an issue with Apple than your WLC configuration.
0
 

Author Comment

by:Steve Bantz
ID: 41891625
I would agree that it is definitely tied to Apple ios10.  I did disable WMM on the guest wireless WLAN  and so far so good on that, i.e. the iPhones are staying on the network.  I am going to try your suggestion at some point as well.  I am going to leave WMM disabled today before I do that so I am not testing two things at once.  I have about 6 people testing this out in our facility.  I will update the thread later and thanks for the test you performed.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 9

Accepted Solution

by:
Cheever000 earned 500 total points
ID: 41891990
All of the above, but I think you are looking for the sleeping clients timer.  See attached link and search the word sleeping if it isn't on that section for the WLC this is specific to the Web authentication re-authentication.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-5/configuration-guide/b_cg75/b_cg75_chapter_010111.html
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41892117
One of the iOS updates did start causing havoc on wireless networks everywhere with weird things like that or not even being able to connect. I had the misfortunate of dealing with it on a Meru wireless network, where I somehow doubt that a patch has even occurred yet.

In addition to obviously some workaround settings, some issues funny enough were resolved by simply rebooting the Apples devices.

Anyway, here's another article involving common problems (not all settings are necessarily ones on your controller):
https://supportforums.cisco.com/document/12068941/common-apple-ios-and-cisco-wireless-related-issues
0
 

Author Comment

by:Steve Bantz
ID: 41893334
Seems disabling WMM didn't really do anything.  I am now looking at the sleeping clients timer as noted earlier in the thread.  Our 5508's do not have this setting so I am suspecting it may be part of a newer software revision.  I'm on 7.4.140.0 right now so I will be downloading the latest version to see if this becomes an available setting.  Will update the thread.
1
 

Author Comment

by:Steve Bantz
ID: 41896599
Cisco informed me that sleeping clients are supported in version 8.x so I will be upgrading to that this evening on my controllers.  I will report back.
1
 

Author Comment

by:Steve Bantz
ID: 41899766
So far so good.  I upgraded all 3 controllers to 8.0.140.0, let the lightweight waps update and enabled sleeping clients for 720 minutes on the guest wireless network.  I have noticed that there are a handful of sleeping clients right now out of the 170 associated clients online right now.  I have several employees on guest with their iphones right now to see if this makes a difference.  I haven't had any reports today so I hope this is what does it.
0
 

Author Comment

by:Steve Bantz
ID: 41904916
Just an update.  Updating to 8.0.140.0 and enabling sleeping clients was indeed the solution to the problem.  iPhones are no longer asking to authenticate on guest wifi several times a day.  Thanks for all of the input.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

With the purchase of CloudCommand by Comcast customers are left in a bind as subscriptions expire and render the AP's disabled. The following will explain how to flash your Ubiquiti AP's with CloudCommand firmware back to Ubiquiti firmware. HOWTO…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now