Web authentication timeout problem

   We have one SSID using web-auth with ISE.
On WLC we configured idle timeout fot 2400 seconds and on wlan>advanced with 65535 seconds for session timeout. But we are having continuos deauthentication in about 10 minutes.
When we check WLC, our mac-address is deleted after about each 10 minutes
How Can I solved this issue?

On this wlan we are using Web-Auth with WPA2 + PSK.
Software version 7.0.220
another ssid not have this problem.
debug client
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Key exchange done, data packets from mobile 00:1c:26:ac:d9:e5 should be forwarded shortly
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Sending EAPOL-Key Message to mobile 00:1c:26:ac:d9:e5
   state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
*dot1xMsgTask: Sep 20 12:33:29.788: 00:1c:26:ac:d9:e5 Updated broadcast key sent to mobile 00:1C:26:AC:D9:E5
*osapiBsnTimer: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:30.986: 00:1c:26:ac:d9:e5 Retransmit 1 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:31.986: 00:1c:26:ac:d9:e5 Retransmit 2 of EAPOL-Key M5 (length 139) for mobile 00:1c:26:ac:d9:e5
*osapiBsnTimer: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 802.1x 'timeoutEvt' Timer expired for station 00:1c:26:ac:d9:e5 and for message = M5
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Retransmit failure for EAPOL-Key M5 to mobile 00:1c:26:ac:d9:e5, retransmit count 3, mscb deauth count 0
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller 1x_ptsm.c:534)
*dot1xMsgTask: Sep 20 12:33:32.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 57) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Associated to Disassociated
*apfReceiveTask: Sep 20 12:33:42.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Sent Deauthenticate to mobile on BSSID 40:f4:ec:4a:b0:f0 slot 0(caller apf_ms.c:5101)
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsAssoStateDec
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 apfMsExpireMobileStation (apf_ms.c:5139) Changing state for mobile 00:1c:26:ac:d9:e5 on AP 40:f4:ec:4a:b0:f0 from Disassociated to Idle
*apfReceiveTask: Sep 20 12:33:52.986: 00:1c:26:ac:d9:e5 Scheduling deletion of Mobile Station:  (callerId: 47) in 10 seconds
*osapiBsnTimer: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 20 12:34:02.986: 00:1c:26:ac:d9:e5 10.166.66.248 RUN (20) Deleted mobile LWAPP rule on AP [40:f4:ec:4a:b0:f0]
Do you have any suggestion about log or debug ?
thanks a lot,
Murilo

Similar Messages

  • 5508 web authentication timeout problem

    If any authenticated user uses protocol other than (http, https) within timeout period,
    that user is deuthenticated, why? solution?

    Are you referring to idle timeout OR session timeout?
    Once a web auth client is authenticated, he has full access and can run any protocol unless
    - restricted by an ACL on controller OR switch with gateway OR firewall.
    c) On WLC CLI, run
    config paging disable
    show run-config
    show traplog
    show msglog
    b) From switch that has L3 SVI for the guest subnet, send
    show run interface vlan x

  • Wireless Web authentication timeout

    Hello, our wireless web authentication is usually timing out after half an hour of inactivity. How can i increase it so people do not need to reauthenticate after 30 min of inactivity?
    Thanks in advance.

    It's in the WLAN definition on the Advanced tab.

  • ISE 1.2 web authentication problem with wired clients

    Hello,
    i am having problems with centralized web authentication using a Catalyst 3650X with IOS 15.0.2 SE01 and ISE 1.2.
    Redirecting the client works fine, but as soon the client opens a web browser and ISE websites open to authenticate the client, the switch port resets, the authentication process restarts and the session ID changes. After the client enters the credentials a session expired messages appears on the client and i get an 86017 Session Missing message in ISE.
    here the output form the debug aaa coa log.
    Any ideas
    thanks in advanced
    Alex
    ! CLIENT CONNECT TO SWITCHPORT
    ISE-TEST-SWITCH#show authentication sessions interface gi0/3
                Interface:  GigabitEthernet0/3
              MAC Address:  001f.297b.bd82
               IP Address:  10.2.12.45
                User-Name:  00-1F-29-7B-BD-82
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  N/A
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
         URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
             URL Redirect:  https://nos-ch-wbn-ise1.nosergroup.lan:8443/guestportal/gateway?sessionId=AC1484640000026B28C02CDC&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1484640000026B28C02CDC
          Acct Session ID:  0x0000029C
                   Handle:  0x8C00026C
    Runnable methods list:
           Method   State
           dot1x    Failed over
           mab      Authc Success
    ! CLIENT OPENS INTERNETEXPLORER -> REDIRECTS TO ISE 
    ! SWITCHPORT GOES IN ADMINISTRATIVE DOWN STARTS AUTHENTICATION AGAIN
    ISE-TEST-SWITCH#
    191526: .Jun 24 10:42:24.340 UTC: COA: 10.0.128.38 request queued
    191527: .Jun 24 10:42:24.340 UTC: RADIUS:  authenticator 7F A9 85 AB F6 4A D0 F3 - B4 E6 F2 56 74 C6 2D 33
    191528: .Jun 24 10:42:24.340 UTC: RADIUS:  NAS-IP-Address      [4]   6   172.20.132.100
    191529: .Jun 24 10:42:24.340 UTC: RADIUS:  Calling-Station-Id  [31]  19  "00:1F:29:7B:BD:82"
    191530: .Jun 24 10:42:24.340 UTC: RADIUS:  Acct-Terminate-Cause[49]  6   admin-reset               [6]
    191531: .Jun 24 10:42:24.340 UTC: RADIUS:  Event-Timestamp     [55]  6   1403606529
    191532: .Jun 24 10:42:24.340 UTC: RADIUS:  Message-Authenticato[80]  18
    191533: .Jun 24 10:42:24.340 UTC: RADIUS:   E0 3C B2 8C 89 47 67 A8 69 F5 3D 08 61 FF 53 6E          [ <Ggi=aSn]
    191534: .Jun 24 10:42:24.340 UTC: RADIUS:  Vendor, Cisco       [26]  43
    191535: .Jun 24 10:42:24.340 UTC: RADIUS:   Cisco AVpair       [1]   37  "subscriber:command=bounce-host-port"
    191536: .Jun 24 10:42:24.340 UTC: COA: Message Authenticator decode passed
    191537: .Jun 24 10:42:24.340 UTC:  ++++++ CoA Attribute List ++++++
    191538: .Jun 24 10:42:24.340 UTC: 06D96C58 0 00000001 nas-ip-address(600) 4 172.20.132.100
    191539: .Jun 24 10:42:24.349 UTC: 06D9AC18 0 00000081 formatted-clid(37) 17 00:1F:29:7B:BD:82
    191540: .Jun 24 10:42:24.349 UTC: 06D9AC4C 0 00000001 disc-cause(434) 4 admin-reset
    191541: .Jun 24 10:42:24.349 UTC: 06D9AC80 0 00000001 Event-Timestamp(445) 4 1403606529(53A95601)
    191542: .Jun 24 10:42:24.349 UTC: 06D9ACB4 0 00000081 ssg-command-code(490) 1 33
    191543: .Jun 24 10:42:24.349 UTC:
    191544: .Jun 24 2014 10:42:24.365 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-RELEASE
    191545: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-IPEVENT: IP 10.2.12.45| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT IP-WAIT
    191546: .Jun 24 2014 10:42:24.382 UTC: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 001f.297b.bd82| AuditSessionID AC1484640000026B28C02CDC| AUTHTYPE DOT1X| EVENT REMOVE
    191547: .Jun 24 2014 10:42:24.390 UTC: %EPM-6-AUTH_ACL: POLICY Auth-Default-ACL-OPEN| EVENT DETACH-SUCCESS
    191548: .Jun 24 2014 10:42:26.353 UTC: %LINK-5-CHANGED: Interface GigabitEthernet0/3, changed state to administratively down
    191549: .Jun 24 2014 10:42:27.359 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
    ISE-TEST-SWITCH#
    191550: .Jun 24 2014 10:42:36.366 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
    191551: .Jun 24 10:42:40.592 UTC: AAA/BIND(000002A7): Bind i/f
    191552: .Jun 24 2014 10:42:41.129 UTC: %AUTHMGR-5-START: Starting 'dot1x' for client (001f.297b.bd82) on Interface Gi0/3 AuditSessionID AC1484640000026C28C2FA05
    191553: .Jun 24 2014 10:42:42.580 UTC: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
    191554: .Jun 24 2014 10:42:43.586 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
    ! SESSION ID CHANGES, USER ENTERS CREDENTIALS 
    ! ERROR MESSAGE AT CLIENT "YOUR SESSION HAS EXPIRED"
    ! ERROR MESSAGE IN ISE "86017 SESSION MISSING"
    ISE-TEST-SWITCH#show authentication sessions interface gi0/3
                Interface:  GigabitEthernet0/3
              MAC Address:  001f.297b.bd82
               IP Address:  10.2.12.45
                   Status:  Running
                   Domain:  UNKNOWN
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC1484640000026C28C2FA05
          Acct Session ID:  0x0000029D
                   Handle:  0x2C00026D
    Runnable methods list:
           Method   State
           dot1x    Running
           mab      Not run

    Guest authentication failed: 86017: Session cache entry missing
    try adjusting the UTC timezone during the guest creation in the sponsor portal.
    86017
    Guest
    Session Missing
    Session ID missing. Please contact your System Administrator.
    Info

  • Problems with re authentications in a wireless with WLC working with web authentication and a radius server

    Hi everyone, im having problems in a wireless network, the SSID has security layer 2 WPA, layer 3 web authentication (internal default page), and external RADIUS.
    When a client makes a roaming from one AP to another one or when he has a idle time, he needs to re authenticate in the web login page. Somebody knows a solution to avoid this behavior?. Or somebody has a troubleshooting way to determine why the clients have this problems??

    A few things I can share that might help .. Your actually feet on the ground will be importnat to see this issue for yourself.
    I know when a client or if the AP sends a DEAUTH frame the client will need to reestablish its connection and it will 100% of the time require a new web auth. If a client loses connection while roaming and a DEAUTH is sent on either side you will get the page. If youre client isnt romaing cleanly this can be a problem.
    Another problem is your using EAP. Are you using CCK or a device that supports OKC. What does your radius server say when a client roams ?
    You could also simply your config and then reapply your security and see where it breaks. By this I mean. For testing, create a SSID turn off security and leave layer 3 web auth on. Roam and see what happens. If it works, then start to apply the security and see where it breaks.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Profiling Problem & Web Authentication Proxy

    Dear All,
    I am facing problem with profiling of workstation over wireless network as ISE is marking these workstations as 'Unknown'. Whereas if I connect same workstation using wired connection then it gets profiled in the right category.
    Profiling for wireless network was working fine initially but as soon as I pointed AAA towards ISE in the employee SSID then ISE started marking any new workstation as 'Unknown'. Before enabling AAA in the WLAN (SSID) the profiling was working fine using 'Radius NAC' setting in advanced tab of the same SSID. Becasue of the unknown category, workstation gets authorization rejection as per the authorization policy.
    I have another query reagrding enabling 'web authentication proxy' on Cisco WLC. I have guest wireless setup using dedicated anchor controller and ISE is providing the guest sponsor and guest portal services. So when a guest user comes in and if the user already has some proxy configured in the browser then url redirection for guest portal doesn't work and guest user must remove the proxy.
    So this requires someone to enagage with guest user but the client want this process to be automatic. I have gone through following document,
    http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b8a909.shtml
    but I am not sure if this solution will also work if the guest portal service is through ISE instead of WLC itself ??
    Thanks & Regards,
    Mujeeb

    Not a problem the reason your profiling is failing for wireless users is that the profiling information for dhcp isnt hitting the ise nodes. For the wired devices are you using the dhcp probe to profile the users? If so, then your issue is with the dhcp proxy setting on the controller. Even through you have the ip helper statement on the svi, essentially your controller is proxying the dhcp broadcasts from the client straight to the dhcp server, so even you enable the ip helper statements on the svi for the ISE nodes it will not work.
    You are correct for the guests, typically if a guest has enabled proxy settings before they should know that they should probably disable this setting when the connect to a new network.
    Also I can not remember but arent the proxy settings configured under the network settings tab? Meaning the only time you would experience this issue is if the ssid you are broadcasting is the same as the ssid they have connected to previously?
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Web authentication with Radius server problem

    Hello,
    I'm having problem to web authenticate users via radius server for one WLC. Here is the outpu from WLC:
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created for mobile, length = 7
    *emWeb: Mar 26 14:17:31.537: 20:7d:xx:xx:d8:f0 Username entry (aaaaaa) created in mscb for mobile, length = 7
    *aaaQueueReader: Mar 26 14:17:31.537: Unable to find requested user entry for aaaaaa
    *aaaQueueReader: Mar 26 14:17:31.537: ReProcessAuthentication previous proto 8, next proto 1
    *aaaQueueReader: Mar 26 14:17:31.537: AuthenticationRequest: 0x1e08eb94
    *aaaQueueReader: Mar 26 14:17:31.538:   Callback.....................................0x10908d90
    *aaaQueueReader: Mar 26 14:17:31.538:   protocolType.................................0x00000001
    *aaaQueueReader: Mar 26 14:17:31.538:   proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *aaaQueueReader: Mar 26 14:17:31.538:   Packet contains 11 AVPs (not shown)
    *aaaQueueReader: Mar 26 14:17:31.538: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Mar 26 14:17:31.538: 20:7d:xx:xx:d8:f0 Successful transmission of Authentication Packet (id 67) to 10.xx.33.249:1645, proxy state 20:7d:xx:xx:d8:f0-00:01
    *aaaQueueReader: Mar 26 14:17:31.538: 00000000: 01 43 00 8c 48 7c a7 ff  df 06 53 30 c0 be e1 8e  .C..H|....S0....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000010: d7 fd 8b d3 01 09 73 65  66 72 73 76 65 02 12 7b  ......aaaaaa..{
    *aaaQueueReader: Mar 26 14:17:31.538: 00000020: ae 2e f5 eb fa cf f5 cc  3b 08 65 d7 04 0e ba 06  ........;.e.....
    *aaaQueueReader: Mar 26 14:17:31.538: 00000030: 06 00 00 00 01 04 06 0a  2e 09 14 05 06 00 00 00  ................
    *aaaQueueReader: Mar 26 14:17:31.538: 00000040: 0d 20 0d 73 65 76 73 74  2d 6c 77 63 31 30 3d 06  ...xxxxx-lwc10=.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000050: 00 00 00 13 1a 0c 00 00  37 63 01 06 00 00 00 01  ........7c......
    *aaaQueueReader: Mar 26 14:17:31.538: 00000060: 1f 0e 31 39 32 2e 31 36  38 2e 31 2e 36 31 1e 0c  ..192.168.1.61..
    *aaaQueueReader: Mar 26 14:17:31.538: 00000070: 31 30 2e 34 36 2e 39 2e  32 30 50 12 95 11 7c d9  10.xx.9.20P...|.
    *aaaQueueReader: Mar 26 14:17:31.538: 00000080: 75 8e 01 6e bf 62 38 f8  38 ab 68 4a              u..n.b8.8.hJ
    *radiusTransportThread: Mar 26 14:17:31.603: 00000000: 03 43 00 14 e5 8c e7 75  52 04 af e0 07 b7 fb 96  .C.....uR.......
    *radiusTransportThread: Mar 26 14:17:31.603: 00000010: c1 4a fb 40                                       .J.@
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Mar 26 14:17:31.603: 20:7d:xx:xx:d8:f0 Access-Reject received from RADIUS server 10.xx.33.249 for mobile 20:7d:xx:xx:d8:f0 receiveId = 0
    *radiusTransportThread: Mar 26 14:17:31.603: ReProcessAuthentication previous proto 1, next proto 2
    *radiusTransportThread: Mar 26 14:17:31.603: AuthenticationRequest: 0x1da9fa4c
    *radiusTransportThread: Mar 26 14:17:31.603:    Callback.....................................0x10908d90
    *radiusTransportThread: Mar 26 14:17:31.603:    protocolType.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.603:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.603:    Packet contains 11 AVPs (not shown)
    *radiusTransportThread: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Returning AAA Error 'No Server' (-7) for mobile 20:7d:xx:xx:d8:f0
    *radiusTransportThread: Mar 26 14:17:31.605: AuthorizationResponse: 0x2dd03648
    *radiusTransportThread: Mar 26 14:17:31.605:    structureSize................................32
    *radiusTransportThread: Mar 26 14:17:31.605:    resultCode...................................-7
    *radiusTransportThread: Mar 26 14:17:31.605:    protocolUsed.................................0x00000002
    *radiusTransportThread: Mar 26 14:17:31.605:    proxyState...................................20:7D:xx:xx:D8:F0-00:00
    *radiusTransportThread: Mar 26 14:17:31.605:    Packet contains 0 AVPs:
    *emWeb: Mar 26 14:17:31.605: Authentication failed for aaaaaa
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Username entry deleted for mobile
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Plumbing web-auth redirect rule due to user logout
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Deleting mobile policy rule 42461
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Adding Web RuleID 42464 for mobile 20:7d:xx:xx:d8:f0
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 Web Authentication failure for station
    *emWeb: Mar 26 14:17:31.605: 20:7d:xx:xx:d8:f0 192.168.1.61 WEBAUTH_REQD (8) Reached ERROR: from line 5069
    That was pretty clear for me that Radius is refusing to give user access.
    Fully-Qualified-User-Name = NMEA\aaaaaa
    NAS-IP-Address = 10.xx.9.20
    NAS-Identifier = xxxxx-lwc10
    Called-Station-Identifier = 10.xx.9.20
    Calling-Station-Identifier = 192.168.1.61
    Client-Friendly-Name = YYY10.xx
    Client-IP-Address = 10.xx.9.20
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 13
    Proxy-Policy-Name = Use Windows authentication forall users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Users
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    Reason-Code = 66
    Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy
    That output is from WLC 5508 version 7.0.235
    What is strange, that user was able to authenticate from other before refresh WLC 4402 ver 4.2.207. I cannot change WLC because of AP which cannot run old version.
    this is output from working client connection from old WLC
    NAS-IP-Address = 10.xx.9.13
    NAS-Identifier = xxxxx-lwc03
    Client-Friendly-Name = YYY10.46
    Client-IP-Address = 10.xx.9.13
    Calling-Station-Identifier = 192.168.19.246
    NAS-Port-Type = <not present>
    NAS-Port = <not present>
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = YYYYY Wireless Guest Access
    Authentication-Type = PAP
    EAP-Type = <undetermined>
    I know there is different Policy Name used, but my question is why it is not using the same as on old WLC when configuration is same.
    Is there any way I can force users to use different policy from WLC or AP configuration or is this solely configuration of Radius?
    Is it maybe problem of version 7.0.235?
    Any toughts would be much appriciated.

    Scott,
    You are probably right. The condition that is checked for the first policy name (we have 2) is to match
    NAS-Port-Type = Wireless - IEEE 802.11, and this is basically used to differentiate guests from other company users.
    as you can see from the logs the one that is working correctly is not sending NAS-Port-Type. The question is why.
    As I said before.
    WLC 5508 ver. 7.0.235 is sending NAS-Port-Type
    WLC 4402 ver. 4.2.207 is not.
    The same user was working OK on 4402 WLC and after refresh and associating APs to 5508 it all broke, so client did not changed anything on adapter.

  • Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

    Hi Guys,
    I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser  
    This is my Configure file on Aironet 2702i
    Aironet2702i#show run
    Building configuration...
    Current configuration : 8547 bytes
    ! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
    version 15.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname Aironet2702i
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login DTSGROUP group radius
    aaa authentication login webauth group radius
    aaa authentication login weblist group radius
    aaa authentication dot1x default group radius
    aaa authorization exec default local 
    aaa session-id common
    clock timezone +0700 7 0
    no ip source-route
    no ip cef 
    ip admission name webauth proxy http
    ip admission name webauth method-list authentication weblist 
    no ip domain lookup
    ip domain name dts.com.vn
    dot11 syslog
    dot11 activity-timeout unknown default 1000
    dot11 activity-timeout client default 1000
    dot11 activity-timeout repeater default 1000
    dot11 activity-timeout workgroup-bridge default 1000
    dot11 activity-timeout bridge default 1000
    dot11 vlan-name DTSGroup vlan 46
    dot11 vlan-name L6-Webauthen-test vlan 45
    dot11 vlan-name NetworkL7 vlan 43
    dot11 vlan-name SGCTT vlan 44
    dot11 ssid DTS-Group
       vlan 46
       authentication open eap DTSGROUP 
       authentication key-management wpa version 2
       mbssid guest-mode
    dot11 ssid DTS-Group-Floor7
       vlan 43
       authentication open 
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
    dot11 ssid L6-Webauthen-test
       vlan 45
       web-auth
       authentication open 
       dot1x eap profile DTSGROUP
       mbssid guest-mode
    dot11 ssid SaigonCTT-Public
       vlan 44
       authentication open 
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
    dot11 arp-cache optional
    dot11 adjacent-ap age-timeout 3
    eap profile DTSGROUP
     description testwebauth-radius
     method peap
     method mschapv2
     method leap
    username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
    username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
    ip ssh version 2
    bridge irb
    interface Dot11Radio0
     no ip address
     encryption vlan 44 mode ciphers aes-ccm 
     encryption vlan 46 mode ciphers aes-ccm 
     encryption mode ciphers aes-ccm 
     encryption vlan 43 mode ciphers aes-ccm 
     encryption vlan 1 mode ciphers aes-ccm 
     ssid DTS-Group
     ssid DTS-Group-Floor7
     ssid L6-Webauthen-test
     ssid SaigonCTT-Public
     countermeasure tkip hold-time 0
     antenna gain 0
     stbc
     mbssid
     packet retries 128 drop-packet
     channel 2412
     station-role root
     rts threshold 2340
     rts retries 128
     ip admission webauth
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 subscriber-loop-control
     bridge-group 43 spanning-disabled
     bridge-group 43 block-unknown-source
     no bridge-group 43 source-learning
     no bridge-group 43 unicast-flooding
    interface Dot11Radio0.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 subscriber-loop-control
     bridge-group 44 spanning-disabled
     bridge-group 44 block-unknown-source
     no bridge-group 44 source-learning
     no bridge-group 44 unicast-flooding
     ip admission webauth
    interface Dot11Radio0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
     ip admission webauth
    interface Dot11Radio0.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 subscriber-loop-control
     bridge-group 46 spanning-disabled
     bridge-group 46 block-unknown-source
     no bridge-group 46 source-learning
     no bridge-group 46 unicast-flooding
    interface Dot11Radio1
     no ip address
     shutdown
     encryption vlan 46 mode ciphers aes-ccm 
     encryption vlan 44 mode ciphers aes-ccm 
     encryption vlan 1 mode ciphers aes-ccm 
     encryption vlan 43 mode ciphers aes-ccm 
     encryption vlan 45 mode ciphers ckip-cmic 
     ssid DTS-Group
     ssid DTS-Group-Floor7
     ssid SaigonCTT-Public
     countermeasure tkip hold-time 0
     antenna gain 0
     peakdetect
     dfs band 3 block
     stbc
     mbssid
     packet retries 128 drop-packet
     channel 5745
     station-role root
     rts threshold 2340
     rts retries 128
    interface Dot11Radio1.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 subscriber-loop-control
     bridge-group 43 spanning-disabled
     bridge-group 43 block-unknown-source
     no bridge-group 43 source-learning
     no bridge-group 43 unicast-flooding
    interface Dot11Radio1.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 subscriber-loop-control
     bridge-group 44 spanning-disabled
     bridge-group 44 block-unknown-source
     no bridge-group 44 source-learning
     no bridge-group 44 unicast-flooding
     ip admission webauth
    interface Dot11Radio1.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
     ip admission webauth
    interface Dot11Radio1.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 subscriber-loop-control
     bridge-group 46 spanning-disabled
     bridge-group 46 block-unknown-source
     no bridge-group 46 source-learning
     no bridge-group 46 unicast-flooding
    interface GigabitEthernet0
     no ip address
     duplex auto
     speed auto
     dot1x pae authenticator
     dot1x authenticator eap profile DTSGROUP
     dot1x supplicant eap profile DTSGROUP
    interface GigabitEthernet0.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet0.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 spanning-disabled
     no bridge-group 43 source-learning
    interface GigabitEthernet0.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 spanning-disabled
     no bridge-group 44 source-learning
    interface GigabitEthernet0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 spanning-disabled
     no bridge-group 45 source-learning
    interface GigabitEthernet0.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 spanning-disabled
     no bridge-group 46 source-learning
    interface GigabitEthernet1
     no ip address
     shutdown
     duplex auto
     speed auto
    interface GigabitEthernet1.1
     encapsulation dot1Q 1 native
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet1.43
     encapsulation dot1Q 43
     bridge-group 43
     bridge-group 43 spanning-disabled
     no bridge-group 43 source-learning
    interface GigabitEthernet1.44
     encapsulation dot1Q 44
     bridge-group 44
     bridge-group 44 spanning-disabled
     no bridge-group 44 source-learning
    interface GigabitEthernet1.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 spanning-disabled
     no bridge-group 45 source-learning
    interface GigabitEthernet1.46
     encapsulation dot1Q 46
     bridge-group 46
     bridge-group 46 spanning-disabled
     no bridge-group 46 source-learning
    interface BVI1
     mac-address 58f3.9ce0.8038
     ip address 172.16.1.62 255.255.255.0
     ipv6 address dhcp
     ipv6 address autoconfig
     ipv6 enable
    ip forward-protocol nd
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1 
    radius-server attribute 32 include-in-access-req format %h
    radius server 172.16.50.99
     address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
     key 7 104A1D0A4B141D06421224
    bridge 1 route ip
    line con 0
     logging synchronous
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     transport input ssh
    line vty 5 15
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     transport input ssh
    end
    This is My Logfile on Radius Win 2008 : 
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
    Account Name: xxxxxxxxxxxxxxxx
    Account Domain: xxxxxxxxxxx
    Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
    Client Machine:
    Security ID: S-1-0-0
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: -
    Calling Station Identifier: -
    NAS:
    NAS IPv4 Address: 172.16.1.62
    NAS IPv6 Address: -
    NAS Identifier: Aironet2702i
    NAS Port-Type: Async
    NAS Port: -
    RADIUS Client:
    Client Friendly Name: Aironet2702i
    Client IP Address: 172.16.1.62
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DTSWIRELESS
    Authentication Provider: Windows
    Authentication Server: xxxxxxxxxxxxxx
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
    So i will explain problems what i have seen:
    SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
    SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
    => I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
    Any idea or recommend for me ?
    Thanks for see my case  

    Hi Dhiresh Yadav,
    Many thanks for your reply me,
    I will explain again for clear my problems.
    At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
    I had login SSID by Account create in AD =>  It's work okay with me. Done
    Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
    dot11 ssid L6-Webauthen-test
       vlan 45
       web-auth
       authentication open 
       dot1x eap profile DTSGROUP
       mbssid guest-mode
    After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
    This is My Logfile on Radius Win 2008 : 
    Network Policy Server denied access to a user.
    NAS:
    NAS IPv4 Address: 172.16.1.62
    NAS IPv6 Address: -
    NAS Identifier: Aironet2702i
    NAS Port-Type: Async
    NAS Port: -
    RADIUS Client:
    Client Friendly Name: Aironet2702i
    Client IP Address: 172.16.1.62
    Authentication Details:
    Connection Request Policy Name: Use Windows authentication for all users
    Network Policy Name: DTSWIRELESS
    Authentication Provider: Windows
    Authentication Server: xxxxxxxxxxxxxx
    Authentication Type: PAP
    EAP Type: -
    Account Session Identifier: -
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 66
    Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
    Im  think ROOT CAUSE is :
    PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

  • Guest Parameter for Web Authentication

    Hi Forum,
    Just to find out a little more detail in regards to the guest account created for web authentication using Ambassador account.
    1) If the authenticated guest did not perform a proper logout, what action will the WLC take?
    2) As such, is there any timeout involved?
    Where can i tune the timeout?
    Rdgs,
    Kelvin

    Hi I just wanted to add what I have found regarding WCS and the guest feature.
    -There are two ways to configure a "local net user". The first is a static guest ID that has the "guest" flag off. This means that the client's session will not timeout. The second is to specify the "guest" user checkbox and give it a timeout value in seconds.
    This should let you control how long a user is logged in.
    From the WLC login, go to SECURITY --> LOCAL NET USERS --> then click on NEW. From there you can specify a user ID and also set that optional guest user box. If you click on the Guest User box then you will see a timeout field.
    With my guest account set to not be a guest user (no timeout value), I have noticed the following.
    1. If a guest gets disconnected, usually they will reassociate and still be able to log in.
    2. If a guest has problems, I usually tell them to disable their wireless card, close all browser windows, and then reassociate to the network.
    The steps above have worked well for my setup...

  • Web authentication different user same client

    Hi,
    We are currently building a guest WLAN. The authentication works with LDAP via web authentication. Users can log on via smartphones and Windows laptops. Now we have a little problem with the Windows laptops, discovered in the testing phase. When user A is successful logon to the laptop through web authentication and then log off the laptop. User B can simply work under the same credentials of user A, without problems. This is not desirable, another user must then log in to the laptop with own credentials.
    The WLC 5508 remember the client MAC address, not the user.
    Any tips?
    Thank you!

    When the user logs off the session remains active on the WLC.
    We have the "User Idle Timeout" set on 100000 sec. Unchecked the "Enable Session Timeout". This to logout users after a certain time via a time trigger. Guests 24 hours, students half year, staff 1 year. (If the WLC not often need to restart).
    For non domain devices this is not a problem, since users are not dependent on the Windows domain then.
    How can we debug users, lets say user A en B on one laptop?

  • Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

    Hello,
    I have configured a Guest SSID with web authentication (captive portal).
    wlan XXXXXXX 2 Guest
     aaa-override
     client vlan YYYYYYYYY
     no exclusionlist
     ip access-group ACL-Usuarios-WIFI
     ip flow monitor wireless-avc-basic input
     ip flow monitor wireless-avc-basic output
     mobility anchor 10.181.8.219
     no security wpa
     no security wpa akm dot1x
     no security wpa wpa2
     no security wpa wpa2 ciphers aes
     security web-auth
     security web-auth parameter-map global
     session-timeout 65535
     no shutdown
    The configuration of webauth parameter map  is :
    service-template webauth-global-inactive
     inactivity-timer 3600 
    service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
     voice vlan
    parameter-map type webauth global
     type webauth
     virtual-ip ipv4 1.1.1.1
     redirect on-success http://www.google.es
    I need to  login on web authentication on HTTP instead of HTTPS.
    If I  login on HTTP, I will not receive certificate alerts that prevent the users connections.
    I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
    Web Authentication on HTTP Instead of HTTPS
    You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
    For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
    For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
    On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
    Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
    Thanks in advance.
    Regards.

    The documentation doesn't provide very clear direction, does it?
    To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

  • Not Working-central web-authentication with a switch and Identity Service Engine

    on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
    I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
    The interface configuration looks like this:
    interface FastEthernet0/24
    switchport access vlan 6
    switchport mode access
    switchport voice vlan 20
    ip access-group webauth in
    authentication event fail action next-method
    authentication event server dead action authorize
    authentication event server alive action reinitialize
    authentication order mab
    authentication priority mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    spanning-tree portfast
    end
    The ACL's
    Extended IP access list webauth
        10 permit ip any any
    Extended IP access list redirect
        10 deny ip any host 172.22.2.38
        20 permit tcp any any eq www
        30 permit tcp any any eq 443
    The ISE side configuration I follow it step by step...
    When I conect the XP client, e see the following Autenthication session...
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
               Interface:  FastEthernet0/24
              MAC Address:  0015.c549.5c99
               IP Address:  172.22.3.184
                User-Name:  00-15-C5-49-5C-99
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
         URL Redirect ACL:  redirect
             URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC16011F000000490AC1A9E2
          Acct Session ID:  0x00000077
                   Handle:  0xB7000049
    Runnable methods list:
           Method   State
           mab      Authc Success
    But there is no redirection, and I get the the following message on switch console:
    756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
    756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    I have to mention I'm using an http proxy on port 8080...
    Any Ideas on what is going wrong?
    Regards
    Nuno

    OK, so I upgraded the IOS to version
    SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
    I tweak with ACL's to the following:
    Extended IP access list redirect
        10 permit ip any any (13 matches)
    and created a DACL that is downloaded along with the authentication
    Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
        10 permit ip any any
    I can see the epm session
    swlx0x0x#show epm session ip 172.22.3.74
         Admission feature:  DOT1X
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
    And authentication
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
         Interface:  FastEthernet0/24
         MAC Address:  0015.c549.5c99
         IP Address:  172.22.3.74
         User-Name:  00-15-C5-49-5C-99
         Status:  Authz Success
         Domain:  DATA
         Oper host mode:  multi-auth
         Oper control dir:  both
         Authorized By:  Authentication Server
         Vlan Group:  N/A
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
         Session timeout:  N/A
         Idle timeout:  N/A
         Common Session ID:  AC16011F000000160042BD98
         Acct Session ID:  0x0000001B
         Handle:  0x90000016
         Runnable methods list:
         Method   State
         mab      Authc Success
    on the logging, I get the following messages...
    017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
    017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
    017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
    017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
    017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
    017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
    What I'm I missing?

  • Timeout problem

    Case
    Case 180396
    Title: WebLogic Server - TImeout problem
    Owner: ClearExpress WebEval Case Type: Administration
    Condition: Open-Dispatch Severity: Evaluation
    Status: Need Initial Contact
    Site Name: Transactions Unlimited Inc Site ID: IND001180
    Address: 1308 oak Lake Ct City, State, ZIP: San Jose, CA 95131
    Contact: Serisha Nagothu Phone: (408)330-4840
    Case History:
    *** NOTES 29-JUN-2000 09:56:15 [29-JUN-2000 15:56:15 None] webeval
    *** Logged by contact: Serisha Nagothu, (408)330-4840
    Product=WLS 451
    Revision=(Release Level)= 451
    Problem Description= NSAPI - WL
    OP = Solaris 2.6
    Hi,
    In my product, I have an operation where I upload files to my website.
    When I am uploading smaller size files I am not facing any problem. But when
    I upload large size files (eg 10 MB) it is happening multiple times. I did
    not face this problem on Windows NT. Only on Solaris I am experiencing this.
    So we wrote a simple servlet to find out what is exactly happening. I am
    getting timeout. I connect to WebLogic Server through Netscape Web Server
    which is running on another Solaris. I tried to increase the connection
    timeout in Netscape Server. It did not provide any results to me. When I
    checked the logs on NSAPI, it is connecting to WL properly, the problem is
    from WebLogic. Apart from the Session Timeout in Deployment Descriptor is
    there any where that weblogic has a timeout settings. I want to know about
    this in detail. It is very very urgent.
    Here is the way my bean works, it reads the file from disk and copy it
    to temporary location and then do the upload. When it started reading, it is
    fine and then when it is uploading, it is getting timeout so, it started
    reading the file again, it is happening till it gets out of space error.
    Please let me know what is the solution, as immediately as possible. I
    would really really appreciate your help.
    Thanks in advance
    [blank.gif]

    What service pack you are using? If you are using 451 SP8 or recent then it has
    a new
    plugin parameter called - "HungServerRecoverSecs". Here are the details:
    HungServerRecoverSecs 10:300:600 for (min:default:max)
    You should set this to a very large value. If it is less than the time the
    servlets take
    to process, then you will see unexpected results. This implementation takes care
    of the
    hung or unresponsive servers in the cluster. So the plugin waits for
    HungServerRecoverSecs for the the server to respond and then declares that
    server dead
    and fails over to the next server.
    Maybe this is what you are seeing. If the value is too low it will failover and
    the POST will
    happen multiple times.
    Let us know if this problem persists.
    --Vinod.
    Serisha wrote:
    Case
    Case 180396
    Title: WebLogic Server - TImeout problem
    Owner: ClearExpress WebEval Case Type: Administration
    Condition: Open-Dispatch Severity: Evaluation
    Status: Need Initial Contact
    Site Name: Transactions Unlimited Inc Site ID: IND001180
    Address: 1308 oak Lake Ct City, State, ZIP: San Jose, CA 95131
    Contact: Serisha Nagothu Phone: (408)330-4840
    Case History:
    *** NOTES 29-JUN-2000 09:56:15 [29-JUN-2000 15:56:15 None] webeval
    *** Logged by contact: Serisha Nagothu, (408)330-4840
    Product=WLS 451
    Revision=(Release Level)= 451
    Problem Description= NSAPI - WL
    OP = Solaris 2.6
    Hi,
    In my product, I have an operation where I upload files to my website.
    When I am uploading smaller size files I am not facing any problem. But when
    I upload large size files (eg 10 MB) it is happening multiple times. I did
    not face this problem on Windows NT. Only on Solaris I am experiencing this.
    So we wrote a simple servlet to find out what is exactly happening. I am
    getting timeout. I connect to WebLogic Server through Netscape Web Server
    which is running on another Solaris. I tried to increase the connection
    timeout in Netscape Server. It did not provide any results to me. When I
    checked the logs on NSAPI, it is connecting to WL properly, the problem is
    from WebLogic. Apart from the Session Timeout in Deployment Descriptor is
    there any where that weblogic has a timeout settings. I want to know about
    this in detail. It is very very urgent.
    Here is the way my bean works, it reads the file from disk and copy it
    to temporary location and then do the upload. When it started reading, it is
    fine and then when it is uploading, it is getting timeout so, it started
    reading the file again, it is happening till it gets out of space error.
    Please let me know what is the solution, as immediately as possible. I
    would really really appreciate your help.
    Thanks in advance
    [Image]

  • Having trouble with web authentication in 5504

    Hi everybody,
    We´re experiencing a trouble with our Wireles LAN solution. We have a WLC 5504, a ACS 4.2 and APs 1131AG.
    After deploying the solution and doing some tests we noticed when a user attempted to connect by wireless network there was too much delay since they clicked ie (internet explorer) until web authentication into WLC was shown. the delay was around 3 minutes. This issue also ocurrs despite of doing a test from my laptop that was next to one access point, then, I moved to another access point and the result was the same, a laptop problem is ruled out.
    Has anybody ever had this kind of trouble? , How could I reduce this time?, is it possible?, Which part of configuration shoud I check?
    Regards,
    Manuel

    Friends,
    I´ve made a mistake. Our WLC is a 4404.  
    Regards,
    Manuel

  • No Web Authentication - but excluded client with reason code 4

    Hello,
    we are using a WLC 4400 with Software Version 5.0.148.0 and WCS Version 5.0.56.2.
    Access Points are AIR-LAP1131AG-E-K9.
    We have problems with one client (Windows XP SP3). The computer loses the wireless connection all the time, but we don't know why. Duration of the connections are different.
    So there are a lot of minor alarms saying “Client which was associated with AP, interface '0' is excluded. The reason code is '4(Web Authentication failed 3 times.)'.”
    But the wireless lan which is used by the client is not configured with Web Authentication!! It is only using MACFilter. That's very strange! (There is another wireless lan configured with Web Authentication.)
    The minor alarms are created by different Access Points, amongst others by the Access Point where the client is connected to! (All Access Points radiate all wireless lans.)
    Regarding to this client the SyslogServer often says:
    Sep 17 16:01:57.187 1x_ptsm.c:404 DOT1X-3-MAX_EAPOL_KEY_RETRANS: Max EAPOL-key M1 retransmissions exceeded for client LOCAL USE 0 ERROR CONDITION
    Sep 17 16:02:07.885 1x_ptsm.c:511 DOT1X-3-PSK_CONFIG_ERR: Client may be using an incorrect PSK LOCAL USE 0 ERROR CONDITION
    Last week I tried the trouble shooting of the WCS with the following effect:
    Time :09/18/2009 19:01:39 Message :Controller association request message received.
    Time :09/18/2009 19:01:39 Message :Association request received from a client has an invalid RSN IE.(One reason could be mismatch in WPA2 algorithm).
    Time :09/18/2009 19:01:39 Message :Received reassociation request from client.
    Time :09/18/2009 19:01:39 Message :The wlan to which client is connecting requires 802 1x authentication.
    Time :09/18/2009 19:01:39 Message :Client moved to associated state successfully.
    Time :09/18/2009 19:01:39 Message :802.1x authentication message received, static dynamic wep supported.
    Time :09/18/2009 19:01:39 Message :802.1x authentication was completed successfully.
    Time :09/18/2009 19:01:39 Message :Client has got IP address, no L3 authentication required.
    I think the problem is hidden at the client but I don't know what it could be. The PSK can not be incorrect because the client is able to connect to the wireless lan but later loses the connection.
    Does somebody has an idea or knows the error messages?!
    Greetings lydia

    Hi,
    I'm exactly with the same problem! Can you please tell me if you were able to solve this?
    Thank you!
    Best regards,

Maybe you are looking for