How would you keep client’s web authentication persistent even after client gets disconnected or de authenticated?
Device: Cisco WLC 5508
Code: 7.0.116.0
Recently after setting up the Wireless Network and Web Authentication Redirect option on a Cisco Wireless LANcontroller – 5508 I had an issue where after approximately an hour mobile clients specially mobile phones would disconnect and they would have to go through the Web Authentication Redirect page again and again. This was very annoying. Basically on Cisco WLC 5508 webauth devices timeout and they would have to re authenticate.
After doing lots of research and trying to change the time out settings under User Idle Timeout, ARP timeout, Session timeout nothing worked. Finally after working with Cisco TAC and doing a debug on the client “debugclient mac-id. I noticed that after an hour WLC sends the new EAP key to the client.
Updated broadcast key sent to mobile 00:23:76:D5:68:61
Cisco WLC 5508 tries this 3 times and after the 3rd time it gives up and considers the client not active any more and sends a de authentication packet, next Cisco WLC 5508 removes the client completely. Hence why when the clientcomes back they have to go through the Web Authentication Redirect Page again because key they have is old and is not valid any more.
Retransmit failure for EAPOL-Key M5 to mobile mac-id, retransmit count 3, mscb deauth count 0
Sent Deauthenticate to mobile on BSSID ap-mac-id slot 0(caller 1x_ptsm.c:534)
*apfReceiveTask: Jun 16 10:47:30.960: client-mac client-ip RUN (20) Deleted mobile LWAPP rule on AP [ap-mac]
Solution
Solution is to increase the broadcast key time interval. I used the following command to accomplish this. PS: This option was not available in the GUI with the code I am using so the only way for me to do it was via the Cisco WLC 5508 Command Line Interface, this applies globally to all the WLAN’s as of this code:
config advanced eap bcast-key-interval seconds (120 to 86400)
config advanced eap bcast-key-interval seconds (120 to 86400)