WLAN Timeouts

• Timeout for Disabled Clients, on page 1 • Session Timeouts, on page 1 • User Idle Timeout per WLAN, on page 3 • Address Resolution Protocol Timeout, on page 4 • Multisession ID Support, on page 4 • Authentication of Sleeping Clients, on page 6 Timeout for Disabled Clients You can configure a timeout for disabled clients. Clients who fail to authenticate three times when attempting to associate are automatically disabled from further association attempts. After the timeout period expires, the client is allowed to retry authentication until it associates or fails authentication and is excluded again. Use these commands to configure a timeout for disabled clients.

Configuring Timeout for Disabled Clients (CLI) • Configure the timeout for disabled clients by entering the config wlan exclusionlist wlan_id timeout command. The valid timeout range is 1 to 2147483647 seconds. A value of 0 permanently disables the client. • Verify the current timeout by entering the show wlan command.

Session Timeouts You can configure a WLAN with a session timeout. The session timeout is the maximum time for a client session to remain active before requiring reauthorization. If a WLAN is configured with Layer 2 security, for example WPA2-PSK, and a Layer 3 authentication is also configured, the WLAN session timeout value is overridden with the dot1x reauthentication timeout value. If apf reauthentication timeout value is greater than 65535, the WLAN session timeout is by default set to 65535; else, the configured dot1x reauthentication timeout value is applied as the WLAN session timeout. This section contains the following subsections:

WLAN Timeouts 1 WLAN Timeouts Configuring a Session Timeout (GUI)

Configuring a Session Timeout (GUI) Configurable session timeout range is: • 300-86400 for 802.1X(EAP) • 0-65535 for all other security types

Note If you configure a session-timeout of 0, it means 86400 seconds for 802.1X (EAP), and it disables the session-timeout for all other security types.

Note When a 802.1x WLAN session timeout value is modified, the associated clients pmk-cache does not change to reflect the new session time out value.

Procedure

Step 1 Choose WLANs to open the WLANs page. Step 2 Click the ID number of the WLAN for which you want to assign a session timeout. Step 3 When the WLANs > Edit page appears, choose the Advanced tab. The WLANs > Edit (Advanced) page appears. Step 4 Select the Enable Session Timeout check box to configure a session timeout for this WLAN. Not selecting the checkbox is equal to setting it to 0, which is the maximum value for a session timeout for each session type. Step 5 Click Apply to commit your changes. Step 6 Click Save Configuration to save your changes.

Configuring a Session Timeout (CLI)

Procedure

Step 1 Configure a session timeout for wireless clients on a WLAN by entering this command: config wlan session-timeout wlan_id timeout The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types (Open WLAN/CKIP/Static WEP). A value of 0 is equivalent to no timeout. For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled.

WLAN Timeouts 2 WLAN Timeouts User Idle Timeout per WLAN

Step 2 Save your changes by entering this command: save config

Step 3 See the current session timeout value for a WLAN by entering this command: show wlan wlan_id Information similar to the following appears:

WLAN Identifier...... 9 Profile Name...... test12 Network Name (SSID)...... test12 ... Number of Active Clients...... 0 Exclusionlist Timeout...... 60 seconds Session Timeout...... 1800 seconds ...

User Idle Timeout per WLAN This is an enhancement to the present implementation of the user idle timeout feature, which is applicable to all WLAN profiles on the controller. With this enhancement, you can configure a user idle timeout for an individual WLAN profile. This user idle timeout is applicable to all the clients that belong to this WLAN profile. You can also configure a threshold triggered timeout where if a client has not sent a threshold quota of data within the specified user idle timeout, the client is considered to be inactive and is deauthenticated. If the data sent by the client is more than the threshold quota specified within the user idle timeout, the client is considered to be active and the controller refreshes for another timeout period. If the threshold quota is exhausted within the timeout period, the timeout period is refreshed. Suppose the user idle timeout is specified as 120 seconds and the user idle threshold is specified as 10 megabytes. After a period of 120 seconds, if the client has not sent 10 megabytes of data, the client is considered to be inactive and is deauthenticated. If the client has exhausted 10 megabytes within 120 seconds, the timeout period is refreshed. This section contains the following subsections:

Configuring Per-WLAN User Idle Timeout (CLI)

Procedure • Configure user idle timeout for a WLAN by entering this command: config wlan usertimeout timeout-in-seconds wlan-id • Configure user idle threshold for a WLAN by entering this command: config wlan user-idle-threshold value-in-bytes wlan-id

WLAN Timeouts 3 WLAN Timeouts Address Resolution Protocol Timeout

Address Resolution Protocol Timeout The Address Resolution Protocol (ARP) timeout is used to delete ARP entries on controller for devices learned from the network. There are four types of ARP entries: • Normal type: Displayed as Host on the CLI • Mobile client type: Displayed as Client on the CLI • Permanent type: Displayed as Permanent on the CLI • Remote type: Displayed as Client on the CLI

Only the Normal type ARP entry can be deleted. The other three entries cannot be deleted using the ARP timeout feature. This section contains the following subsections:

Configuring ARP Timeout (GUI)

Procedure

Step 1 Choose Controller > General. Step 2 In the ARP Timeout field, enter the timeout value in seconds. By default, the timeout is set to 300 seconds; valid range is 10 to 2147483647 seconds. Step 3 Save the configuration.

Configuring ARP Timeout (CLI)

Procedure • Configure the ARP timeout value by entering this command:

config network arptimeout value-in-seconds The default value is 300 seconds; the valid range is 10 to 2147483647 seconds.

Multisession ID Support This feature enables CWA roaming functionality into the network. In central web authentication (CWA), the AAA server depends on the audit-session-id to identify the authenticated clients. If Cisco WLC uses a new audit-session-id for authentication, the AAA server forces the client for reauthentication. In this release, a multisession ID is introduced to be used in the RADIUS server, to support intercontroller client roaming in case of open + MAC filtering with CWA.

WLAN Timeouts 4 WLAN Timeouts Viewing Multisession ID Support (CLI)

When the client roams to a location where the SSID is disabled and enabled again; then the client requires to re-login to join the network. In this feature the following types of connections are supported: • Dot1x + CWA • MAC filtering + CWA • PSK + CWA

Note The CLI output displays the type of PMK under ‘Type’ for that session. It denotes a non-dot1x client session and RSN for the dot1x client. This is not related to the type of security enabled on the SSID.

Guidelines and Limitations for Multisession ID Support • Starting Release 8.9, the audit session ID for Open and PSK (non-802.11r) is shared by mobility handoff message. Suppose there are multiple Cisco Wireless releases in use in a mobility domain. An audit session ID might not be reused if a client roams in Open and PSK (non-802.11r). If you want the same audit session to be used, we recommend that you have all the mobility peers on the same Cisco Wireless release. Prior to Release 8.9, audit session ID for Open and PSK (non-802.11r) was shared by PMK Update message.

This section contains the following subsections:

Viewing Multisession ID Support (CLI)

Procedure • View the AP coverage report duration for all APs or an individual AP by entering this command: show pmk-cache {all | mac_address}

Note The CLI output displays the type of PMK under ‘Type’ for that session. It denotes a non dot1x client session and Robust Security Network (RSN) for dot1x client. This is not related to the type of security enabled on the SSID.

Example: controller > show pmk-cache all

Number of PMK Cache Entries: 1

PMK-CCKM Cache Entry Type Station Lifetime VLAN Override IP Override Audit-Session-ID Username ------Open b4:6r:0e:4e:3f:04 1814 0.0.0.0 15200b0900000010de65045a UNKNOWN

WLAN Timeouts 5 WLAN Timeouts Authentication of Sleeping Clients

Authentication of Sleeping Clients Clients with guest access that have had successful web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which the sleeping clients are to be remembered for before reauthentication becomes necessary. The valid range is 10 minutes to 43200 minutes, with the default being 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN. The sleeping timer becomes effective after the idle timeout. If the client timeout is lesser than the time configured on the sleeping timer of the WLAN, then the lifetime of the client is used as the sleeping time.

Note The sleeping timer expires every 5 minutes.

This feature is supported in the following FlexConnect scenario: local switching and central authentication.

Caution If the MAC address of a client that goes to sleep mode is spoofed, the fake device such as a laptop can be authenticated.

Following are some guidelines in a mobility scenario: • L2 roaming in the same subnet is supported. • Anchor sleeping timer is applicable. • The sleeping client information is shared between multiple autoanchors when a sleeping client moves from one anchor to another.

From release 8.0 and later, in a High Availability scenario, the sleeping timer is synchronized between active and standby.

Supported Mobility Scenarios A sleeping client does not require reauthentication in the following scenarios: • Suppose there are two controllers in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller. • Suppose there are three controllers in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller. • A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor.

This section contains the following subsections:

WLAN Timeouts 6 WLAN Timeouts Restrictions for Authenticating Sleeping Clients

Restrictions for Authenticating Sleeping Clients • The sleep client feature works only for WLAN configured with WebAuth security. Web passthrough is supported on Release 8.0 and later. • You can configure the sleeping clients only on a per-WLAN basis. • The authentication of sleeping clients feature is not supported with Layer 2 security and web authentication enabled. • The authentication of sleeping clients feature is supported only on WLANs that have Layer 3 security enabled. • With Layer 3 security, the Authentication, Passthrough, and On MAC Filter failure web policies are supported. The Conditional Web Redirect and Splash Page Web Redirect web policies are not supported. • The central web authentication of sleeping clients is not supported. • The authentication of sleeping clients feature is not supported on guest LANs and remote LANs. • A guest access sleeping client that has a local user policy is not supported. In this case, the WLAN-specific timer is applied. • In a High Availability scenario, the client entry is synchronized between active and standby, but the sleeping timer is not synchronized. If the active controller fails, the client has to get reauthenticated when it associates with the standby controller. • The number of sleeping clients that are supported depends on the controller platform: • Cisco 5520 Wireless Controller—25000 • Cisco 8540 Wireless Controller—64000 • Cisco Virtual Wireless LAN Controller—500

• New mobility is not supported.

Configuring Authentication for Sleeping Clients (GUI)

Procedure

Step 1 Choose WLANs. Step 2 Click the corresponding WLAN ID. The WLANs > Edit page is displayed.

Step 3 Click the Security tab and then click the Layer 3 tab. Step 4 Select the Sleeping Client check box to enable authentication for sleeping clients. Step 5 Enter the Sleeping Client Timeout, which is the duration for which the sleeping clients are to be remembered before reauthentication becomes necessary. The default timeout is 12 hours.

WLAN Timeouts 7 WLAN Timeouts Configuring Authentication for Sleeping Clients (CLI)

Step 6 Click Apply. Step 7 Click Save Configuration.

Configuring Authentication for Sleeping Clients (CLI)

Procedure • Enable or disable authentication for sleeping clients on a WLAN by entering this command: config wlan custom-web sleep-client {enable | disable} wlan-id • Configure the sleeping client timeout on a WLAN by entering this command: config wlan custom-web sleep-client timeout wlan-id duration • View the sleeping client configuration on a WLAN by entering this command: show wlan wlan-id • Delete any unwanted sleeping client entries by entering this command: config custom-web sleep-client delete client-mac-addr • View a summary of all the sleeping client entries by entering this command: show custom-web sleep-client summary • View the details of a sleeping client entry based on the MAC address of the client by entering this command: show custom-web sleep-client detail client-mac-addr

Authenticating Sleeping Clients on L2+L3 Enabled WLANs The existing sleeping client feature does not authenticate the sleeping clients that are woken when L2 and L3 credentials are different. With this feature enhancement, the sleeping client functionality works even if L2 and L3 credentials are different. This feature also supports a configuration which allows sleeping clients to be authenticated automatically when they wake up without the need for the user to try web access. Although the security parameters have not changed, the feature functions with dot1x + webauth authentication set up only.

Configuring Sleeping Client Authentication on L2+L3 Enabled WLANs (GUI)

Procedure

Step 1 Choose WLANs > WLANs to open the WLAN page. Step 2 Click the WLAN-ID number of the WLAN to which you want to configure the feature. Step 3 Choose the Security > Layer 3 > tab from the WLANs > Edit page. Step 4 Check the Sleeping Client check box to enable authentication for sleeping clients Step 5 Enter the value for Sleeping Client Timeout,

WLAN Timeouts 8 WLAN Timeouts Configuring Sleeping Client Authentication on L2+L3 Enabled WLANs (CLI)

This is the duration for which the sleeping clients are to be remembered before reauthentication is required. The default timeout is 12 hours.

Step 6 Check the Sleeping Client Auto Authenticate check box to enable auto authentication of the sleeping clients when they wake up . Step 7 Save the configuration.

Configuring Sleeping Client Authentication on L2+L3 Enabled WLANs (CLI)

Procedure • Enable or disable the auto authentication of the sleeping client on wake up without the need for web access by entering this command: config wlan custom-web sleep-client authenticate-without-trigger {enable | disable} wlan-id The default value is Enabled. • View the status of the sleeping client authentication by entering this command: show wlan wlan-id

WLAN Timeouts 9 WLAN Timeouts Configuring Sleeping Client Authentication on L2+L3 Enabled WLANs (CLI)

WLAN Timeouts 10