Tuesday, July 9, 2013

5760 Session Timeout: To Infinity and beyond!

If you're familiar with the advanced tab while configuring a WLAN  on a Cisco (Airespace) WLC, you've probably seen the Session Timeout checkbox and corresponding timer value.
This timer is used to setup how long a wireless user can remain connected before reauthentication is required.
While deploying a 5760 to match an existing 4400 controller, I attempted to disable the session timeout, but to no avail.  Let's look at my simple WLAN I have configured:



Boise3850-IDF#show run wlan
wlan JakeTestWlan 1 JakeTestWlan
 client vlan 12
 security dot1x authentication-list Cisco
 shutdown

No sign of the session timeout in here right?  WRONG!  Let's check the show wlan:
Boise3850-IDF#show wlan all

Number of WLANs: 1

WLAN Profile Name     : JakeTestWlan
================================================
Identifier                                     : 1
Network Name (SSID)                            : JakeTestWlan
Status                                         : Disabled
Broadcast SSID                                 : Enabled
Maximum number of Associated Clients           : 0
AAA Policy Override                            : Disabled
Network Admission Control
  NAC-State                                    : Disabled
Number of Active Clients                       : 0
Exclusionlist Timeout                          : 60
Session Timeout                                : 1800 seconds
...


Well crap.  1800 seconds.  Let's configure a session timeout of 0. Piece of cake right?

Boise3850-IDF(config-wlan)#session-timeout ?
  <300-86400>  The duration of session in seconds

Hmm, serious? Ok, time for the no session-timeout. Just use the "no session-timeout" command. easy stuff. Oh wait? No change? really?

But! But, my other WLAN does it!


WLAN Profile Name     : JakeTestPSK
================================================
Identifier                                     : 2
Network Name (SSID)                            : JakeTestPSK
Status                                         : Disabled
Broadcast SSID                                 : Enabled
Maximum number of Associated Clients           : 0
AAA Policy Override                            : Disabled
Network Admission Control
  NAC-State                                    : Disabled
Number of Active Clients                       : 0
Exclusionlist Timeout                          : 60
Session Timeout                                : Infinity

Ah, so a quick glance at the 5760 config guide says the following about the session timeout:

The range and default values vary according to the security configuration. If WLAN security is configured for dot1x, the range is 300 to 86400 and the default is 1800 seconds. For all other WLAN security configurations, the range is 1 to 65535 and the default value is 0. A value of 0 indicates no session timeout.

I'm not sure if there is a place in the Airespace controller to configure this, maybe it's a Dot1X timer, but I didn't find it in the trusty "EAP Timers on Wireless Lan Controllers" doc