Search This Blog

Tuesday, 30 October 2012

Cisco WLC keeping web auth persistent

How would you keep client’s web authentication persistent even after client gets disconnected or de authenticated?

Device: Cisco WLC 5508


Recently after setting up the Wireless Network and Web Authentication Redirect option on a Cisco Wireless LANcontroller – 5508 I had an issue where after approximately an hour mobile clients specially mobile phones would disconnect and they would have to go through the Web Authentication Redirect page again and again. This was very annoying. Basically on Cisco WLC 5508 webauth devices timeout and they would have to re authenticate.
After doing lots of research and trying to change the time out settings under User Idle Timeout, ARP timeout, Session timeout nothing worked. Finally after working with Cisco TAC and doing a debug on the client “debugclient mac-id. I noticed that after an hour WLC sends the new EAP key to the client. 

Updated broadcast key sent to mobile 00:23:76:D5:68:61
Cisco WLC 5508 tries this 3 times and after the 3rd time it gives up and considers the client not active any more and sends a de authentication packet, next Cisco WLC 5508 removes the client completely. Hence why when the clientcomes back they have to go through the Web Authentication Redirect Page again because key they have is old and is not valid any more.

Retransmit failure for EAPOL-Key M5 to mobile mac-id, retransmit count 3, mscb deauth count 0

Sent Deauthenticate to mobile on BSSID ap-mac-id slot 0(caller 1x_ptsm.c:534)

*apfReceiveTask: Jun 16 10:47:30.960: client-mac client-ip RUN (20) Deleted mobile LWAPP rule on AP [ap-mac]


Solution is to increase the broadcast key time interval. I used the following command to accomplish this. PS: This option was not available in the GUI with the code I am using so the only way for me to do it was via the Cisco WLC 5508 Command Line Interface, this applies globally to all the WLAN’s as of this code:
config advanced eap bcast-key-interval seconds (120 to 86400)


  1. Hi, does the CLI ensures that the client doesn't need to go through web-auth again? Can you please explain what's the outcome if i set it to 86400 as opposed to the user-idle timeout which i've alrady set to 86400.

  2. Wow what an article, how long did it take you to copy it from mine lol? Really dude you are a CCIE or working on CCIE and you would steal someone else' blog and won't even bother to notify them, ask permission and/or give credit? Shame on you.

  3. Online Cisco Training, Online Linux Training, Online Ethical Hacking Training, Online CCNP Training, Online CCNA Training, Online MCSE Training, Online CCIE Training India, MCITP Training, Online VMware Training and more offered by Zoom Technologies by highly proficient CISCO certified experts - Hyderabad, India.

  4. Great Job!!!
    This post is very wonderful. your steps is really helpful. i like this post and i feel very happy to read this article...
    thanks for sharing...
    more info:- Cisco Router Support

  5. Really thanks to post this blog its very useful for me.

    cisco wireless training

  6. Hello all, I need the other way around.
    We have an open SSID with web autentication. The APs ask to an external dhcp server the IP to assign to the wireless device.
    The problem is that I see many clients connected automatically to the SSID, obtaining the IP address from DHCP but never autenticate. So they occupy an IP without working, running the dhcp out of scope with no further ip to assign.

    So the question is: "is there a way to completely disconnect (with IP release) an inactive client?"

    Thanks in advance
    Stefano Chiesa

  7. Excellent ! I am truly impressed that there is so much about this subject that has been revealed and you did it so nicely.
    CCNA Training in Chennai

  8. Very interesting to read your blog. It make viewer to keep updated.

    PYTHON Training in Chennai

  9. This information is impressive; I am inspired with your post writing style.Its a wonderful post and very helpful, thanks for all this information.
    SAP HR Training in Chennai
    SAP SD Training in Chennai

  10. Nice tutorial. Thanks for sharing the valuable information. it’s really helpful. Who want to learn this blog most helpful. Keep sharing on updated tutorials…
    Click here:
    python training in rajajinagar
    Click here:
    python training in jayanagar

  11. This is very good content you share on this blog. it's very informative and provide me future related information.
    Blueprism training in Chennai

    Blueprism training in Bangalore

    Blueprism training in Pune

  12. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    DevOps online Training|DevOps Training in USA

  13. This is most informative and also this post most user friendly and super navigation to all posts... Thank you so much for giving this information to me.. 

    best rpa training in chennai |
    rpa training in chennai |
    rpa training in bangalore
    rpa training in pune | rpa online training

  14. Thanks for the informative article. This is one of the best resources I have found in quite some time. Nicely written and great info. I really cannot thank you enough for sharing.

    Data Science Training in Chennai | Data Science course in anna nagar
    Data Science course in chennai | Data science course in Bangalore
    Data Science course in marathahalli | Data Science course in btm

  15. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.
    java training in tambaram | java training in velachery

    java training in omr | oracle training in chennai

  16. After reading your post I understood that last week was with full of surprises and happiness for you. Congratz! Even though the website is work related, you can update small events in your life and share your happiness with us too.
    angularjs Training in bangalore

    angularjs Training in bangalore

    angularjs Training in chennai

    python training in pune

    python training institute in chennai

    python training in Bangalore

  17. When I initially commented, I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get several emails with the same comment. Is there any way you can remove people from that service? Thanks.

    Amazon Web Services Training in Pune | Best AWS Training in Pune

    AWS Training in Pune | Best Amazon Web Services Training in Pune