msgbartop
msgbarbottom

17 Jun 11 Cisco WLC 5508 keeping web auth persistent

How would you keep client’s web authentication persistent even after client gets disconnected or de authenticated?

Device: Cisco WLC 5508

Code: 7.0.116.0

Recently after setting up the Wireless Network and Web Authentication Redirect option on a Cisco Wireless LAN controller – 5508 I had an issue where after approximately an hour mobile clients specially mobile phones would disconnect and they would have to go through the Web Authentication Redirect page again and again. This was very annoying. Basically on Cisco WLC 5508 webauth devices timeout and they would have to re authenticate.

After doing lots of research and trying to change the time out settings under User Idle Timeout, ARP timeout, Session timeout nothing worked. Finally after working with Cisco TAC and doing a debug on the client “debug client mac-id. I noticed that after an hour WLC sends the new EAP key to the client.

Updated broadcast key sent to mobile 00:23:76:D5:68:61

Cisco WLC 5508 tries this 3 times and after the 3rd time it gives up and considers the client not active any more and sends a de authentication packet, next Cisco WLC 5508 removes the client completely. Hence why when the client comes back they have to go through the Web Authentication Redirect Page again because key they have is old and is not valid any more.

Retransmit failure for EAPOL-Key M5 to mobile mac-id, retransmit count 3, mscb deauth count 0
Sent Deauthenticate to mobile on BSSID ap-mac-id slot 0(caller 1x_ptsm.c:534)
*apfReceiveTask: Jun 16 10:47:30.960: client-mac client-ip RUN (20) Deleted mobile LWAPP rule on AP [ap-mac]

Solution

Solution is to increase the broadcast key time interval. I used the following command to accomplish this. PS: This option was not available in the GUI with the code I am using so the only way for me to do it was via the Cisco WLC 5508 Command Line Interface, this applies globally to all the WLAN’s as of this code:
config advanced eap bcast-key-interval seconds (120 to 86400)

Tags: , ,

Reader's Comments

  1. |

    Great information! I have the same issue. What is the length you changed it to?

    thanks

  2. |

    I changed it to 12 hours.

  3. |

    Hello Ali, Did you ever face a situation where you had to exclude some devices to skip the WebAuth? I have some KIOSK’s where there is no keyboard to click I agree button.

  4. |

    If it is a KIOSK, then users should be able to use the touch screen to hit the “I Agree Button”. But if you want KIOSK’s to by pass the “Web Authentication” just create another SSID and associate them to the SSID that does not have “Web Authentication” setup.

  5. |

    The issue is then other users will use the new SSID to skip the user agreement…..I am still drilling the commands….I use MAC entries for Outdoor AP’s and WGB clients to keep the reach ability..not sure if this helps me..

  6. |

    No they won’t be able to use the other SSID, just setup a WPA2 security on that SSID and only setup that SSID on the KIOSKs with the WPA2 key. Do not distribute that key to the users.

  7. |

    Can you tell me how new this command is? I’m running 7.0.98.0 and I don’t see it:

    Cisco Controller) >config advanced eap ?

    eapol-key-timeout Configures EAPOL-Key Timeout in milliseconds.
    eapol-key-retries Configures EAPOL-Key Max Retries.
    identity-request-timeout Configures EAP-Identity-Request Timeout in seconds.
    identity-request-retries Configures EAP-Identity-Request Max Retries.
    key-index Configure the key index used for dynamic WEP (802.1x) unicast key (PTK).
    max-login-ignore-identity-response Configure to ignore the same username count reaching max in the EAP identity response
    request-timeout Configures EAP-Request Timeout in seconds.
    request-retries Configures EAP-Request Max Retries.

  8. |

    I am using 7.0.116.0 and it is available in that one.

  9. |

    I tried this, and it hasn’t changed the controller’s behavior. Clients(smart phones) still get de-authenticated when they put their phone to sleep. Upon resuming the connection, they are prompted with the webauth again. I do have internal controllers anchored to guest controllers in the DMZ. I have not updated the code to 7.0.116 internally yet. Could that be the problem? Also, I have an OEAP connected at my house with the Guest Wifi pushed to it. I get the same behavior there and I’m not going through any of the internal controllers. I sure wish Cisco would resolve this.

  10. |

    I’m not sure about the code I didn’t try it on the old code and unfortunately I do not have another controller yet to test it with the older code. See if you can perhaps upgrade your code. Plus do you have the web authentication setup also? There are a few other settings you might need to tweak in your case via GUI like “user idle timeout”. Also try running a debug and see what happens that is how I caught the issue.

  11. |

    Tried the ‘debug client details ‘ on a 5508 controller on version 7.0.116.0.

    But this ‘details’ command does not exist. Only ‘debug client ‘.

    Are you sure you used that? And what am I missing then?

  12. |

    Good catch sorry “details” got added in there by mistake. I updated my post.

  13. |

    We have been experiencing the same issue with IOS devices with our WLC2100 controllers on our Guest wireless networks that use web authentication. I was having to re-authenticate my iphone as often as every 15 minutes! I changed this parameter to match our session timeout (8 hours or 28800 seconds) and, voila! No more re-authentication.

    Very helpful solution to a very obscure problem.

  14. |

    I am facing the same problem. guest user with mobile device needs web re-auth after sleep for a while however the time is not consistent. I am using 5508 as the anchor WLC and Foreign WLC with code 7.1.91.0 The session time out and idle time out are all 4 hours. I would like to try the command eap bcast-key-interval seconds to solve the issue. Is it a must to configure it to 4 hours to match the value in session timeout and idle timeout?

  15. |

    more questions, is this command required to apply to all WLCs? Also, encryption is not configurated between the WiFi end device and AP. So, can this command solve the issue?

  16. |

    Good questions Gary, I personally just matched all my settings because it makes sense and I didn’t want to complicate things by keeping them different. That command actually configures the time client will receive the key broadcast and you can actually see it if you are running a debug that controller will try it 3 times and after that disassociate the client.

    I’m pretty sure you will have to apply it to all the WLC’s. Because if a client gets connected to an AP and that AP is on a second WLC that does not have that command it only makes sense that he will get disassociated, if you are using a WCS server you can push it from there.

    Backup your configs and test it out before you put it in production. I’ll see if I can configure something on my second controller that is not in production yet and do some testing if I have some time.

  17. |

    Hello,
    I’m experiencing similar problem but only on Dell laptop clients.

    My APs are associated with controller in desktop block, but guest clients are terminated on anchor controller in DMZ using mobility anchors.

    Can you advice on which controller may I try to change broadcast interval?

    Thanks

  18. |

    First you want to make sure that is what happening and there isn’t some other issue that is causing this problem. Since you mentioned this is only happening with the Dell laptops. So basically you are saying if you have other devices connected to the SAME SSID and network as Dell laptops they work but Dell laptops will de-authenticate after a certain time. Also is it only happening with the Dell laptop clients that are connecting as guest? Start with running a debug like, “debug client mac-id”.

  19. |

    As I started reading this, I was thinking the same thing that Gary mentioned on 5June12 8:36am. Isn’t the wireless connection open when using web auth? Wouldn’t that mean EAP/encryption isn’t being used? If that is the case, how would an EAP broadcast timer fix the issue? I’m not saying it doesn’t fix the issue, but just don’t see how it does. Is this a bug that when a client doesn’t respond to the EAP queries, the WLC incorrectly disconnects the client?

    I have users reporting disconnects as well that require web auth again when they immediately connect again. This happens when they are actively using the laptop. This to me means that either the client actively disconnected or the WLC actively removed the client and not an idle time-out issue.

  20. |

    Good question. In my case I was using “Web Authentication with a disclaimer”. So there is Authentication phase as I am not using a complete open wireless hence the EAPOL-Key update request. If you are using a completely open authentication then this should not apply, I’d test it out in a lab environment.

    Here is a great link to understand it a bit more.
    http://wireless-richard.blogspot.com/2012/11/continue-on-session-timeout.html

Leave a Comment

WordPress SEO