1、Session Timeout
Session Timer的默认值为1800s,也就是30min。Session Timeout:当该计时器超时时,使得客户端强制发生重认证,这个时间是从客户端认证成功后开始计算,进入倒计时。配置Session Timeout我们可以调整Session Timeout时间,以确认客户端在重认证之前所维持的时间。时间范围:对于802.1x:300-86400s对于其他安全类型:0-65535s注意:在Open System下,如果配置Session Timeout为0,就代表关闭了Session Timer;而对于Other System types,最大值为86400s注意:当修改802.1x的Session Timeout值时,关联的客户端的PMK缓存不会改变来反映新的Session Timeout值。GUI下的配置:
| Step 1 | Choose WLANs to open the WLANs page. |
| Step 2 | Click the ID number of the WLAN for which you want to assign a session timeout. |
| Step 3 | When the WLANs > Edit page appears, choose the Advanced tab. The WLANs > Edit (Advanced) page appears. |
| Step 4 | Select the Enable Session Timeout check box to configure a session timeout for this WLAN. Not selecting the checkbox is equal to setting it to 0, which is the maximum value for a session timeout for each session type.<<<不选中该复选框等于将其设置为0,这是每种会话类型的会话超时的最大值。 |
| Step 5 | Click Apply to commit your changes. |
| Step 6 | Click Save Configuration to save your changes. |
CLI下的配置
| Step 1 | Configure a session timeout for wireless clients on a WLAN by entering this command: config wlan session-timeout wlan_id timeout The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types (Open WLAN/CKIP/Static WEP). A value of 0 is equivalent to no timeout. |
| Step 2 | Save your changes by entering this command: save config |
| Step 3 | See the current session timeout value for a WLAN by entering this command: show wlan wlan_id Information similar to the following appears: WLAN Identifier.................................. 9Profile Name..................................... test12Network Name (SSID)........................... test12 ... Number of Active Clients......................... 0Exclusionlist Timeout............................ 60 secondsSession Timeout............................... 1800 seconds ... |
故障示例:客户端由于Session timeout解除协商
命令:debug client <mac addr>
Logs to parse
apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1e:8c:0f:a4:57 on AP 00:26:cb:94:44:c0 from Associated to DisassociatedScheduling deletion of Mobile Station: (callerId: 45) in 10 secondsapfMsExpireCallback (apf_ms.c:608) Expiring Mobile!Sent Deauthenticate to mobile on BSSID 00:26:cb:94:44:c0 slot 0(caller apf_ms.c:5094)
解决方法:
增加session timeout值,WLC GUI>>WLAN>>ID>>Advanced
2、Idle Timeout
Idle Timer的默认值为300s,也就是5min.
Idle Timeout:Idle计时器超时时,客户端会从WLC上被移除掉(如果一个用户的设备关机了,或者是笔记本等设备进入睡眠状态,进入空闲状态,无法和AP之前进行沟通,进行信息传递,那么该计时器就开始倒计时)。当计时器超时后,下次客户端协商就需要完成完整的认证过程。
我们可以针对单个WLAN去进行配置,还可以配置阈值触发超时,如果客户端在指定的Idle Timeout时间内没有发送阈值数据值,则认为客户端处于非活动状态且已取消身份验证。如果客户端发送的数据超过用户Idle Timeout内指定的阈值配额,则认为客户端处于活动状态,控制器刷新另一个超时时间。如果阈值配额在超时期限内耗尽,则刷新超时时间。假设用户Idle Timeout指定为120秒,用户空闲阈值指定为10MB。在120秒的时间段之后,如果客户端没有发送10MB的数据,则认为客户端处于非活动状态并且未经身份验证。如果客户端在120秒发送了10MB,则会刷新超时时间。配置Idle Timeout
故障示例:客户端由于Idle Timeout解除协商
命令:debug client <mac addr>
Received Idle-Timeout from AP 00:26:cb:94:44:c0, slot 0 for STA 00:1e:8c:0f:a4:57
apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 4, reasonCode 4
Scheduling deletion of Mobile Station: (callerId: 30) in 1 seconds
apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
Sent Deauthenticate to mobile on BSSID 00:26:cb:94:44:c0 slot 0(caller apf_ms.c:5094)
解决方法:
增加Idle Timeout的值:“WLC GUI>>Controller>>General” 或针对单独WLAN “WLC GUI>>WLAN>>ID>>Advanced”
参考:
如下两个链接是配置说明文档及非常有用的故障典型示例:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0100111.html
https://www.cisco.com/c/en/us/support/docs/wireless/5508-wireless-controller/200072-Cheat-Sheet-Common-Wireless-issues.html#anc8