This Blog is for my own personal notes during my quest for CCIE Wireless. Some of it is probably not correct but I will change it when I realise!
Feel free to add comments if you disagree with something or wish to add anything!
Search This Blog
Tuesday, 30 October 2012
Cisco WLC keeping web auth persistent
How would you keep client’s web authentication persistent even after client gets disconnected or de authenticated?
Device: Cisco WLC 5508
Recently after setting up theWireless NetworkandWeb AuthenticationRedirectoption on aCiscoWireless LANcontroller – 5508I had an issue where after approximately an hourmobileclients speciallymobile phoneswould disconnect and they would have to go through theWeb AuthenticationRedirectpage again and again. This was very annoying. Basicallyon Cisco WLC 5508 webauth devices timeout and they would have to re authenticate.
After doing lots of research and trying to change the time out settings underUser Idle Timeout, ARP timeout, Session timeoutnothing worked. Finally after working withCisco TACand doing a debug on theclient“debugclientmac-id. I noticed that after an hour WLC sends thenew EAP keyto theclient.
Updated broadcast key sent to mobile 00:23:76:D5:68:61
Cisco WLC 5508tries this 3 times and after the 3rd time it gives up and considers theclientnot active any more and sends ade authentication packet, nextCisco WLC 5508removes theclientcompletely. Hence why when theclientcomes back they have to go through theWeb AuthenticationRedirectPageagain because key they have is old and is not valid any more.
Retransmit failure for EAPOL-Key M5 to mobile mac-id, retransmit count 3, mscb deauth count 0
Sent Deauthenticate to mobile on BSSID ap-mac-id slot 0(caller 1x_ptsm.c:534)
*apfReceiveTask: Jun 16 10:47:30.960: client-macclient-ip RUN (20) Deleted mobile LWAPP rule on AP [ap-mac]
Solutionis to increase thebroadcast key time interval. I used the following command to accomplish this. PS: This option was not available in the GUI with the code I am using so the only way for me to do it was via theCisco WLC 5508 Command Line Interface, this applies globally to all the WLAN’s as of this code: config advanced eap bcast-key-intervalseconds(120 to 86400)