Increase the Web-authentication Timeout on the Wireless LAN Controller

Introduction

This document provides the steps required in order for the Web-auth Service Set Identifier (SSID) to allow a VPN user access without full authentication and without a disconnection every few minutes. In order to achieve this, a user must increase the Web-authentication (Web-auth) timeout on the Wireless LAN Controller (WLC).

Prerequisites

Requirements

Cisco recommends that you know how to configure the WLC for basic operation and Web-auth.

Components Used

The information in this document is based on a Cisco 5500 Series WLC that runs firmware version 8.0.100.0.

Note The configuration and Web-auth explanation in this document is applicable to all WLC models and any Cisco Unified Wireless Network image version 8.0.100.0 and later.

Background Information

In many customer network setups, there are settings that allow a group of company users or guests VPN access to certain IP addresses without the requirement to pass Web-auth security. These users receive an IP adddress and connect directly to the VPN without the need for any credentials in order to get authenticated via Web-auth security. This SSID might be in use by another set of users who also go through normal and full Web-auth in order to gain Internet access. This scenario is possible via a pre-authentication ACL configured on the SSID that allows user connections to VPN IP addresses before they pass authentication. The problem for these VPN users is that they pick the IP address but never finish the complete Web-auth. Therefore, the Web-auth timeout timer is activated and the client is deauthenticated:

*apfReceiveTask: Sep 03 12:01:55.694: 00:24:d7:cd:ac:30 172.30.0.118 WEBAUTH_REQD (8)
 Web-Auth Policy timeout

*apfReceiveTask: Sep 03 12:01:55.694: 00:24:d7:cd:ac:30 172.30.0.118 WEBAUTH_REQD (8)
 Pem timed out, Try to delete client in 10 secs.

The value of this timeout is 5 minutes and has a fixed value in WLC versions earlier than 7.6. This short timeout duration causes the wireless network to be nearly unusable for these kinds of users. The capability to change this value is added in WLC Version 8.0 which allows users to access the VPN via pre-auth ACL-allowed traffic.

Configure

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Complete these steps in order to increase the Web-auth timeout on the WLC:

1. Create an ACL that allows traffic to the VPN IP address.

   

2. Apply the ACL as Preauthenctiation ACL on the Wireless LAN (WLAN) configuration under Layer 3 Security.

   

3. Log in via the CLI and enter the config wlan security web-auth timeout command in order to increase the Web-auth timeout value:

   (WLC)>config wlan security web-auth timeout ?
   <value> Configures Web authentication Timeout (300-14400 seconds).
   
   (WLC)>config wlan security web-auth timeout 3600 <Wlan_id>

Verify

Use this section to confirm that your configuration works properly.

The Web-auth session timeout value for your WLAN appears as this example output shows:

(WLC)>show wlan 10
Web Based Authentication...................... Enabled
 Web Authentication Timeout.................... 3600

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Enter the debug client <mac-address> command in order to see the Web-auth timer begin for the user that connects to the VPN without authentication.