WLAN Timeouts. Timeouts. Configuring a Timeout for Disabled Clients. Configuring Session Timeout

Similar documents
WLAN Timeouts. Timeouts. Timeout for Disabled Clients. Session Timeout. Information About Configuring a Timeout for Disabled Clients

Configuring WLANsWireless Device Access

Editing WLAN SSID or Profile Name for WLANs (CLI), page 6

Configuring a WLAN for Static WEP

Configuring NAC Out-of-Band Integration

Configuring Layer2 Security

Multicast VLAN, page 1 Passive Clients, page 2 Dynamic Anchoring for Clients with Static IP Addresses, page 5

Managing Web Authentication

Configuring Management Frame Protection

Configuring FlexConnect Groups

Configuring FlexConnect Groups

FlexConnect. Information About FlexConnect

Configuring Backup Controllers

Client Data Tunneling

Configuring Auto-Anchor Mobility

Software-Defined Access Wireless

Configuring Local EAP

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Configuring Proxy Mobile IPv6

Software-Defined Access Wireless

Configuring OfficeExtend Access Points

Wireless LAN Controller (WLC) Mobility Groups FAQ

Central Web Authentication on the WLC and ISE Configuration Example

Wireless LAN Controller Web Authentication Configuration Example

Configuring Auto-Anchor Mobility

Configuring DHCP. Restrictions for Configuring DHCP for WLANs. Information About the Dynamic Host Configuration Protocol. Internal DHCP Servers

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Configuring DHCP. Restrictions for Configuring DHCP for WLANs. Information About the Dynamic Host Configuration Protocol. Internal DHCP Servers

Configuring Hybrid REAP

Using Cisco Workgroup Bridges

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Cisco Exam Securing Wireless Enterprise Networks Version: 7.0 [ Total Questions: 53 ]

Software-Defined Access Wireless

Wireless LAN Controller (WLC) Design and Features FAQ

Wireless KRACK attack client side workaround and detection

Configuring Client Profiling

Configuring Application Visibility and Control

Wireless Intrusion Detection System

DHCP. DHCP Proxy. Information About Configuring DHCP Proxy. Restrictions on Using DHCP Proxy

8.5 Identity PSK Feature Deployment Guide

Readme for ios 7 WebAuth on Cisco Wireless LAN Controller, Release 7.4 MR 2

Workgroup Bridges. Cisco WGBs. Information About Cisco Workgroup Bridges. Cisco WGBs, page 1 Third-Party WGBs and Client VMs, page 9

Configuring AP Groups

Mobility Groups. Information About Mobility

Per-WLAN Wireless Settings

Configuring WLANs CHAPTER

Managing Rogue Devices

Architecting Network for Branch Offices with Cisco Unified Wireless

CMX Connected Experiences- Social, SMS and Custom Portal Registration Configuration Example

Test Results Summary for Cisco Unified Wireless LAN Test 7.5 for Japan (Release )

Configuring a Basic Wireless LAN Connection

Configuring Administrator Usernames and Passwords. Information About Configuring Administrator Usernames and Passwords

Configuring AP Groups

Clear Commands: a to l

PassCollection. IT certification exam collections provider, High pass rate

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Configuring Web-Based Authentication

Multicast/Broadcast Setup

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Test Results Summary for Cisco Unified Wireless LAN Test 7.4 for Japan (Release )

Configuring IDS Signatures

WLC 7.0 and Later: VLAN Select and Multicast Optimization Features Deployment Guide

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Configuring r BSS Fast Transition

WLAN Commands. show Commands. show Commands, page 1 config Commands, page 22 debug Commands, page 136 test Commands, page 143

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Verify Radius Server Connectivity with Test AAA Radius Command

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

High Availability (AP SSO) Deployment Guide

accounting (SSID configuration mode) through encryption mode wep accounting (SSID configuration mode) through

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Configuring Administrator Usernames and Passwords. Information About Configuring Administrator Usernames and Passwords

Configure Flexconnect ACL's on WLC

Architecting Network for Branch Offices with Cisco Unified Wireless Karan Sheth Sr. Technical Marketing Engineer

Monitoring Wireless Devices

Activity Configuring and Securing a Wireless LAN in Packet Tracer

Configuring Settings on the Cisco Unified Wireless IP Phone

Managing Rogue Devices

Configuring RADIUS Clients

Summary. Deployment Guide: Configuring the Cisco Wireless Security Suite 1 OL

Configuring 802.1X. Finding Feature Information. Information About 802.1X

A5500 Configuration Guide

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

Configuring Web-Based Authentication

DWS-4000 Series DWL-3600AP DWL-6600AP

Template information can be overridden on individual devices.

accounting (SSID configuration mode) through encryption mode wep

With 802.1X port-based authentication, the devices in the network have specific roles.


Configure Easy Wireless Setup ISE 2.2

Configuring Client Roaming

Configuring Settings on the Cisco Unified Wireless IP Phone 7921G

Configuring Multiple SSIDs

Configuring Client Roaming

AAA Administration. Setting up RADIUS. Information About RADIUS

With 802.1X port-based authentication, the devices in the network have specific roles.

ISE Version 1.3 Hotspot Configuration Example

Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Template information can be overridden on individual devices.

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Transcription:

Timeouts, page 1 Authentication for Sleeping Clients, page 4 Timeouts Configuring a Timeout for Disabled Clients Information About Configuring a Timeout for Disabled Clients You can configure a timeout for disabled clients. Clients who fail to authenticate three times when attempting to associate are automatically disabled from further association attempts. After the timeout period expires, the client is allowed to retry authentication until it associates or fails authentication and is excluded again. Use these commands to configure a timeout for disabled clients. Configuring Timeout for Disabled Clients (CLI) Configure the timeout for disabled clients by entering the config wlan exclusionlist wlan_id timeout command. The valid timeout range is 1 to 2147483647 seconds. A value of 0 permanently disables the client. Verify the current timeout by entering the show wlan command. Configuring Session Timeout Information About Session Timeouts You can configure a WLAN with a session timeout. The session timeout is the maximum time for a client session to remain active before requiring reauthorization. 1

Configuring Session Timeout Configuring a Session Timeout (GUI) Configurable session timeout range is: 300-86400 for 802.1x. 0-65535 for all other security types. Note If you configure session timeout as 0, it means disabling session-timeout, in case of open system, and 86400 seconds for all other system types. Note When a 802.1x WLAN session timeout value is modified, the associated clients pmk-cache does not change to reflect the new session time out value. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Choose WLANs to open the WLANs page. Click the ID number of the WLAN for which you want to assign a session timeout. When the WLANs > Edit page appears, choose the Advanced tab. The WLANs > Edit (Advanced) page appears. Select the Enable Session Timeout check box to configure a session timeout for this WLAN. Not selecting the checkbox is equal to setting it to 0, which is the maximum value for a session timeout for each session type. Click Apply to commit your changes. Click Save Configuration to save your changes. Configuring a Session Timeout (CLI) Step 1 Step 2 Step 3 Configure a session timeout for wireless clients on a WLAN by entering this command: config wlan session-timeout wlan_id timeout The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types (Open WLAN/CKIP/Static WEP). A value of 0 is equivalent to no timeout. For 802.1X client security type, which creates the PMK cache, the maximum session timeout that can be set is 86400 seconds when the session timeout is disabled. For other client security such as open, WebAuth, and PSK for which the PMK cache is not created, the session timeout value is shown as infinite when session timeout is disabled. Save your changes by entering this command: save config See the current session timeout value for a WLAN by entering this command: show wlan wlan_id 2

Configuring the User Idle Timeout Information similar to the following appears: WLAN Identifier... 9 Profile Name... test12 Network Name (SSID)... test12... Number of Active Clients... 0 Exclusionlist Timeout... 60 seconds Session Timeout... 1800 seconds... Configuring the User Idle Timeout Information About the User Idle Timeout Per WLAN This is an enhancement to the present implementation of the user idle timeout feature, which is applicable to all WLAN profiles on the controller. With this enhancement, you can configure a user idle timeout for an individual WLAN profile. This user idle timeout is applicable to all the clients that belong to this WLAN profile. You can also configure a threshold triggered timeout where if a client has not sent a threshold quota of data within the specified user idle timeout, the client is considered to be inactive and is deauthenticated. If the data sent by the client is more than the threshold quota specified within the user idle timeout, the client is considered to be active and the controller refreshes for another timeout period. If the threshold quota is exhausted within the timeout period, the timeout period is refreshed. Suppose the user idle timeout is specified as 120 seconds and the user idle threshold is specified as 10 megabytes. After a period of 120 seconds, if the client has not sent 10 megabytes of data, the client is considered to be inactive and is deauthenticated. If the client has exhausted 10 megabytes within 120 seconds, the timeout period is refreshed. Configuring Per-WLAN User Idle Timeout (CLI) Configure user idle timeout for a WLAN by entering this command: config wlan usertimeout timeout-in-seconds wlan-id Configure user idle threshold for a WLAN by entering this command: config wlan user-idle-threshold value-in-bytes wlan-id 3

Authentication for Sleeping Clients Authentication for Sleeping Clients Information About Authenticating Sleeping Clients Clients with guest access that have had successful web authentication are allowed to sleep and wake up without having to go through another authentication process through the login page. You can configure the duration for which the sleeping clients are to be remembered for before reauthentication becomes necessary. The valid range is 10 minutes to 43200 minutes, with the default being 720 minutes. You can configure the duration on a WLAN and on a user group policy that is mapped to the WLAN. The sleeping timer becomes effective after the idle timeout. If the client timeout is lesser than the time configured on the sleeping timer of the WLAN, then the lifetime of the client is used as the sleeping time. Note The sleeping timer expires every 6 minutes. This feature is supported in the following FlexConnect scenario: local switching and central authentication. Caution If the MAC address of a client that goes to sleep mode is spoofed, the fake device such as a laptop can be authenticated. Following are some guidelines in a mobility scenario: L2 roaming in the same subnet is supported. Anchor sleeping timer is applicable. The sleeping client information is shared between multiple autoanchors when a sleeping client moves from one anchor to another. From release 8.0 and later, in a High Availability scenario, the sleeping timer is synchronized between active and standby. Supported Mobility Scenarios A sleeping client does not require reauthentication in the following scenarios: Suppose there are two controllers in a mobility group. A client that is associated with one controller goes to sleep and then wakes up and gets associated with the other controller. Suppose there are three controllers in a mobility group. A client that is associated with the second controller that is anchored to the first controller goes to sleep, wakes up, and gets associated with the third controller. A client sleeps, wakes up and gets associated with the same or different export foreign controller that is anchored to the export anchor. 4

Restrictions for Authenticating Sleeping Clients Restrictions for Authenticating Sleeping Clients The sleep client feature works only for WLAN configured with WebAuth security. Web passthrough is supported on Release 8.0 and later. You can configure the sleeping clients only on a per-wlan basis. The authentication of sleeping clients feature is not supported with Layer 2 security and web authentication enabled. The authentication of sleeping clients feature is supported only on WLANs that have Layer 3 security enabled. With Layer 3 security, the Authentication, Passthrough, and On MAC Filter failure web policies are supported. The Conditional Web Redirect and Splash Page Web Redirect web policies are not supported. The central web authentication of sleeping clients is not supported. The authentication of sleeping clients feature is not supported on guest LANs and remote LANs. A guest access sleeping client that has a local user policy is not supported. In this case, the WLAN-specific timer is applied. In a High Availability scenario, the client entry is synchronized between active and standby, but the sleeping timer is not synchronized. If the active controller fails, the client has to get reauthenticated when it associates with the standby controller. The number of sleeping clients that are supported depends on the controller platform: Cisco 2504 Wireless Controller 500 Cisco 5508 Wireless Controller 1000 Cisco 5520 Wireless Controller 25000 Cisco Flex 7510 Wireless Controller 25000 with Release 7.6 and later; 9000 in earlier releases Cisco 8510 Wireless Controller 25000 with Release 7.6 and later; 9000 in earlier releases Cisco 8540 Wireless Controller 64000 Cisco WiSM2 1000 Cisco Virtual Wireless LAN Controller 500 Cisco Wireless Controller on Cisco Services-Ready Engine (SRE) 500 New mobility is not supported. Configuring Authentication for Sleeping Clients (GUI) Step 1 Step 2 Choose WLANs. Click the corresponding WLAN ID. 5

Configuring Authentication for Sleeping Clients (CLI) The WLANs > Edit page is displayed. Step 3 Step 4 Step 5 Step 6 Step 7 Click the Security tab and then click the Layer 3 tab. Select the Sleeping Client check box to enable authentication for sleeping clients. Enter the Sleeping Client Timeout, which is the duration for which the sleeping clients are to be remembered before reauthentication becomes necessary. The default timeout is 12 hours. Click Apply. Click Save Configuration. Configuring Authentication for Sleeping Clients (CLI) Enable or disable authentication for sleeping clients on a WLAN by entering this command: config wlan custom-web sleep-client {enable disable} wlan-id Configure the sleeping client timeout on a WLAN by entering this command: config wlan custom-web sleep-client timeout wlan-id duration View the sleeping client configuration on a WLAN by entering this command: show wlan wlan-id Delete any unwanted sleeping client entries by entering this command: config custom-web sleep-client delete client-mac-addr View a summary of all the sleeping client entries by entering this command: show custom-web sleep-client summary View the details of a sleeping client entry based on the MAC address of the client by entering this command: show custom-web sleep-client detail client-mac-addr 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback