How to tweak Web-Auth Policy timeout on WLC?

Similar Messages

• How to install Web Auth. Bundle on WLC 2504

  Hi, 
  I need to install a Web Auth bundle and when I download the file from cisco's webpage, its a .zip, but the WLC asks for a .tar file, so I converted it to a .tar and tried again but then it said file was too big.
  Can someone please instruct me on how to do it?
  Thanks in advance,
  Javier

  Hi,
     the .tar file size (no more than 1Mb
  the filename length of the files (should be no more than 30 characters)
  Plus other guide lines while downloading at the below location
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049431
  Regards
  Dhiresh
  **Please rate helpful posts**

• What is the default web-auth required timeout period?

  Hi,
  As according to the cisco config example. (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml),
  it says:
  If clients are in Webauth_Reqd state, no matter if they are active or idle, the clients will get de-authenticated after a
  web-auth required timeout period (for example, 300 seconds and this time is non-user configurable). All traffic from the client (allowed via Pre-Auth ACL) will be disrupted. If the client associates again, it will move back to the Webauth_Reqd state. If clients are in Webauth_Reqd state, no matter if they are active or idle, the clients will get de-authenticated after a web-auth required timeout period (for example, 300 seconds and this time is non-user configurable). All traffic from the client (allowed via Pre-Auth ACL) will be disrupted. If the client associates again, it will move back to the Webauth_Reqd state.
  What is the default web-auth required timeout period stated in the example?
  Many thanks.

  Hi,
  Yes it is 300 seconds and non-configurable to prevent DOS by depleting IP address on Guest wlan/vlan. There is an enhancement request filed esp. for your situation with Pre-auth ACL.
  CSCtj32812    DHCP Option to mitigate the problem of guest client rejoining network
  Thanks.Salil
  CSCtj32812    DHCP Option to mitigate the problem of guest client rejoining network CSCtj32812    DHCP Option to mitigate the problem of guest client rejoining network

• How to implement web service client timeout

  I'm trying to implement a web service client using JAX-RPC specification and the client is generated by clientgen utility. We are using weblogic8.1(sp5).
  How do I control the connection timeout and data transmission timeout? I have tried:
  BindingInfo.setTimeout() method and stub._setProperty("weblogic.webservice.rpc.timeoutsecs", "1" /* secs */);
  and they don't seem to be working...
  I have searched the web service documentation and didn't found any mentioning on this. Can someone shred some light on this?
  Thanks.
  Ren
  null

  Hi,
  I had a problem too for setting the timeout of a webservice client. but i didn't find any thing on this.
  But there is a work around for this see if it suits you but for this you have to use Apache AXIS webservice api to generate the client in that Api you have the Stub.timeOut() function to over come this problem
  Cheers !!
  Vivek:-)

• How to add Web Service Policy?

  Hi ;
  My project calling a web service. This web services secured with username&password and i don't call it correctly. I need to pass this identiy information to web service. How to adding this policy information?

  Re: Custome Header - Service Properties - WSDL
  Edited by: melothony on 13.Şub.2012 12:02 link edited

• Simple Web Auth policy and simple posture assessment policy in ISE

  G'day All,
  I've just finished reading through the Cisco BYOD with ISE document and it's left me a little more confused than when I started.
  I completely understand the onboarding process and the different policy elements that make up the self registration/onboarding configuration.
  What I'd like to do is put together an ISE configuration that is a lot simpler for the BYOD user.
  Is anyone able to advise if it is possible to have a single dot1x SSID with ISE that has a policy for Window Laptops using AD authentication for the user and Posture assessment and a policy for all smart devices (iOS and Android) that is just AD authentication of the user, without the need for device registration?
  The target user demographic for my deployment are really not technical so having to go through the onboarding process, especially for the Android devices, with the pre-installation of the cisco app, etc, really isn't what they are looking for.
  Huge thanks for any assistance.
  Cheers,
  JS

  Yes, that's possible. But without "device registration" then you need to configure Wireless 802.1x manually in every Android device.
  Please rate if that helps.

• Web Auth Re-Authentication Problem

  2500 series controller.  1140  APs.
  I have set my idle and session timout to both be 57600 (16 hours) yet we have users getting re-prompted for web auth every few hours.
  Please advise.
  (Cisco Controller) >
  (Cisco Controller) >*pemReceiveTask: May 02 18:28:02.826: 60:fa:cd:a8:9c:8e Sent an XID frame
  *apfReceiveTask: May 02 18:33:01.538: 60:fa:cd:a8:9c:8e 172.16.60.15 WEBAUTH_REQD (8) Web-Auth Policy timeout
  *apfReceiveTask: May 02 18:33:01.538: 60:fa:cd:a8:9c:8e 172.16.60.15 WEBAUTH_REQD (8) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: May 02 18:33:01.538: 60:fa:cd:a8:9c:8e Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
  *osapiBsnTimer: May 02 18:33:11.538: 60:fa:cd:a8:9c:8e apfMsExpireCallback (apf_ms.c:589) Expiring Mobile!
  *apfReceiveTask: May 02 18:33:11.538: 60:fa:cd:a8:9c:8e apfMsExpireMobileStation (apf_ms.c:5584) Changing state for mobile 60:fa:cd:a8:9c:8e on AP 3c:ce:73:49:7f:30 from Associated to Disassociated
  *apfReceiveTask: May 02 18:33:11.538: 60:fa:cd:a8:9c:8e Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
  *osapiBsnTimer: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMsExpireCallback (apf_ms.c:589) Expiring Mobile!
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e Sent Deauthenticate to mobile on BSSID 3c:ce:73:49:7f:30 slot 0(caller apf_ms.c:5678)
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMsAssoStateDec
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMsExpireMobileStation (apf_ms.c:5716) Changing state for mobile 60:fa:cd:a8:9c:8e on AP 3c:ce:73:49:7f:30 from Disassociated to Idle
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e 172.16.60.15 WEBAUTH_REQD (8) Deleted mobile LWAPP rule on AP [3c:ce:73:49:7f:30]
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e apfMs1xStateDec
  *apfReceiveTask: May 02 18:33:21.538: 60:fa:cd:a8:9c:8e Deleting mobile on AP 3c:ce:73:49:7f:30(0)
  *pemReceiveTask: May 02 18:33:21.540: 60:fa:cd:a8:9c:8e 172.16.60.15 Removed NPU entry.

  Its happening with multiple types of devices.  Apple laptops, iPhones, Windows Mobile Phones, etc.  A user will connect to the wireless and accept the agreement on the web auth page.  A few hours later, she will try to surf the web again and be re-prompted with the page to authenticate.  We do not want this.  We only want this page to come up every 16 hours.

• Web Auth Redirection

  I have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.
  The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.
  If I point the web auth at the internal WLC page using a WLC local user account it works.
  If I set the guest access to pass through it works without issues getting dhcp and dns.
  On the ISE is there a policy needed to say if guests are web authenticated give them access?
  The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with. Does anyone have any ideas where I might be going wrong?
  Thanks for any ideas Mick

  Does this work if you point to the WLC internal page and use AAA credentials?

• Guest WLAN Web Auth problem

  Was just wondering whether anyone else had seen this problem as it is defeating TAC right now…
  We have a number of 4402 WLCs on various sites and another one in a DMZ acting as an anchor controller for the guest network. We’re using just the basic web auth built into the WLC for access out on to the Internet for visiting third parties. All the EOIP stuff is setup and working and all clients can associate and get an IP address.
  All clients get redirected to the authentication page and all clients appear to authenticate successfully. With the exception of a few clients, at this stage most get stuck and cannot browse the web; the pages just time out. All other Internet traffic (SSH, TELNET, SMTP, ICMP) works fine once authenticated , just not HTTP/HTTPS.
  We have upgraded the WLCs to the latest code on the advice of TAC (6.0.196) but this made no difference. The problem seems to happen on all OSs (Mac, XP, Vista, Windows 7, Ubuntu, iPhone) and all browsers (IE6, IE7, IE8, Safari, Firefox, Chrome). We have tried upgrading drivers and changing browser settings, but nothing seems to help. We have working XP laptops and non-working XP latops; it just doesn’t make any sense.
  The attached packet capture shows a non-working laptop and the only thing I noticed was very large window sizes (512k) which seems a bit odd.
  Any ideas?
  Thanks

  hi there
  apparently i have a fix for the issue, it has just been tested for over 8 hours and my computer running wireless on windows 7 never disconected anymore (and i don't have either quick 1 second hangs anymore)....HOW????? it was the wireless driver!!
  my computer has an Atheros 928x wireless card and i was running version 8.0.0... (can't remember the exact version) which as far as i know was the version bundled with the original installation alhough i dont remember if i had an update from somewhere else... anyway. i did this:
  1. went to device manager, clicked on the wireless card, clicked delete, then confirm with the box about deletion of the software connected with the device.... then clicked on "scan for hardware changes" - in theory i wanted to update the driver with another .exe i downloaded but i thought let's give a go... and long story short, win 7 found in "his" files another suitable driver, probably the "generic" one, but nevertheless works as a charm, driver version is 2.0.0.74, driver date 09/06/2009, driver provider: microsoft, digital signer: microsoft windows, driver name : Atheros AR928X Wireless Network Adapter.
  if you need more info about the driver let me know!
  gabrio

• 5508 loading cert for web auth

  I have web auth enabled on the WLC so when clients connec they get a cert error because it is using the self signed cert.  I was reading up on getting a third part cert and it explains about getting openssl and then generating the cert and sending it to a third party CA etc.
  Any links you can share would be very helpful explaining best practices and method to load a third party cert on the WLC 5508 for web authentication.
  Why can't I just get a cert from them for our domain and simply load it on the WLC?

  Hi Mohammed,
  Here are the two links which are like bible to generate certs..
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Depends on whether you are using Chained or Un chained certs.. Following the above link will help you in getting the issue resolved!!
  Lemme know if this answered ur question!!
  Regards
  Surendra

• Customized Web-Auth Bundle

  Hi
  I am trying to upload a customized web-auth bundle to a WLC 5508 and having some issues.
  I have downloaded the web-auth bundle from Cisco and used this as a template to create the web pages.
  I seem to recall that there is only a couple of Windows tools that you can use to TAR the file such as TUGZIP and IZARC. Anyway I have tried both and I still cannot get the file to extract. I have tried to strip the file out so that I only send up the login.html page and even this does not work.
  I am using a software release 7.0.220.0
  The error message I receive when I do a TFTP is
  Error extracting webauth files.
  Any help would be appreciated
  Thanks
  Greg

  Hi Greg:
  I hope you find the answer here:
  You can compress the page and image files used for displaying a web authentication login page into a.tar file for download to a controller. These files are known as the webauth bundle. The maximum allowed size of the files in their uncompressed state is 1 MB. When the .tar file is downloaded from a local TFTP server, it enters the controller's file system as an untarred file.
  Note If you load a webauth bundle with a .tar compression application that is not GNU compliant, the controller cannot extract the files in the bundle and the following error messages appear: "Extracting error" and "TFTP transfer failed." Therefore, we recommend that you use an application that complies with GNU standards, such as PicoZip, to compress the .tar file for the webauth bundle.
  Reference: http://tiny.cc/rbqbfw
  So double check the size and tarring utility.
  Try to use WinRar or 7Zip if the tarring format is the issue.
  HTH
  Amjad

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• VLAN Override and Web Auth: How to overcome issues?

  Hello
  I have been investigating if we can deploy vlan override and assign a user vlan via RADIUS, post authentication on a WRD SSID. Having read around the discussions, I can see that there are others who have wanted similar, but have been told that it is not possible:
  "Marucho, the particularity of how Web authentication works on the WLC  is that it is carried over HTTP between Client and WLC. So the Wireless  Client has to already have an IP address prior to starting the web  authentication. Since the Wireless Client already has an IP address then  you cannot override it anymore.
  Unlike  dot1x, which takes place over EAPOL and then when you have eap success,  client moves to get an ip address from the sent by Radius VLAN."
  However, we still have a problem that we would like to overcome and wonder if anyone has any experience or suggestions they could share?
  We are a University with a large number of devices grabbing an IP address whilst only remaining associated and not actually going on to authenticate through the WRD. This creates a situation where we have a large number of IP addresses deployed unnecessarily and we would like to tackle this.
  We are unable to use private IP for authenticated users (Policy decision) but could use them for associated users and so were hoping we might be able to deploy a private subnet on the WRD SSID prior to authentication and then use VLAN override to assign authenticated users onto the correct VLAN. In order to try and achieve this we were planning on using a very short DHCP lease on the private subnet, so that post-authentication the client device requests a public IP address almost instantly.
  Is there any way of achieving this that someone could suggest or would we be knocking our ehads against a brick wall?
  thanks
  Bryn

  Just giving 2 ideas :
  -How about using a WPA PSK on your webauth ssid ? Just give the PSK in the SSID name. This prevents non-intended connections (no automatic association because it's open ssid) and still allows anyone with an intention, to connect to it and you still have the webauth behind. This reduces number of ip addresses.
  -How about modifying the webauth successful authentication page to give the credentails to access a private network (PSK or dot1x) where credentials would regularly change ?
  Those are workarounds.
  Nicolas

• How to generate CSR on switches for web auth with NGS

  Hello
  I am doing a dot1x solution with web auth on cisco 3750 switches.
  Once the wired client get put into web auth state (after dot1x and mab) and goes to a website, he gets a certificate warning. This is because the certificate of the cisco switch is selfsigned.
  I want to use a verisign certificate to solve this error, but I cannot find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but this is also not a solution, because the clients using the web auth, will not know the internal CA.
  Is there any way to solve this?
  Greetings
  Steven

  Hi Steven,
  The below document is actually for IOS SSLVPN, but the certificate portion should be the same:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html
  Search for "Appendix B" and it goes into creating a trustpoint and then one section is for self-signed and another is for generating a certificate request to send to an external CA.
  Once a trustpoint is created the command to actually generate the CSR is "crypto pki enroll ".
  This document goes into a little more detail on all the indivual commands and what they do:
  http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html
  Also you could use something external to the switch like OpenSSL to generate the CSR/private key and then use that to request a cert from your Verisign CA and then import the cert/keypair into the IOS device.
  Thanks,
  Nate

• Enable Session Timeout - Guest web-auth

  Hi All,
  Just a quick one. If this timer expires when using web-auth on a guest wlan in the following way
  PC --Ap -- WLC (campus) -- Anchor WLC (DMZ) --- www
  Does the web session break and the user will be redirected to the web authentication page?
  Many thx indeed,
  Ken

  Hi there.
  http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html#wp1048408
  Thanks for the doc above. It has the info in there. Many many thx for your help.
  Ken
  The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences a recurring session timeout that requires reauthentication.