topic Re: Agentless USER-ID timeout in General Topics

Agentless USER-ID timeout

MichaelSeddon — Wed, 22 May 2024 05:46:51 GMT

Hello,

We have USER-ID setup to get our wifi logs and that is working well for most of our devices however we have an issue where the iPads will initally get a connection but then after timeout period set in User Identification Timeout they remain connected without a username and therefore will have no access. The ipads never drop wifi even when asleep for days at a time so it doesnt trigger another log and I havent been able to get the ipad to drop the wifi connection while asleep.

I see there is an option in User-ID to turn off User identification timeout however I feel like that might cause more issues.

Any help will be appreciated.

Re: Agentless USER-ID timeout

donald795 — Thu, 23 May 2024 04:08:07 GMT

Hello,

We have USER ID set up to get our WiFi logs, and it works well for My Indigo Card most devices. However iPads connect initially but lose access after the User Identification Timeout period because they stay connected without re-authenticating. The iPads don't drop WiFi even when asleep, so they don't trigger a new log.

Re: Agentless USER-ID timeout

Brandon_Wertz — Wed, 22 May 2024 13:05:52 GMT

@MichaelSeddon wrote:

...but then after timeout period set in User Identification Timeout they remain connected without a username and therefore will have no access...

After the user-id timeout, they stay connected? Connected to what? The WiFi network or the known user for the device stays in the firewall?

After the user-id timeout the ip to user-id mapping should be removed from the firewall. Depending on the hardware platform there's a MP and DP. So check there.

if you're reporting that the user-id timeout is being reached, but expecting the iPad to be disconnected from the WiFi network, that will not happen. The firewall user-id timeout will have no bearing on being removed from the WiFi network.

Re: Agentless USER-ID timeout

BPry — Wed, 22 May 2024 21:47:49 GMT

You could probably resolve this by getting the WiFi to deauth the existing session so that the iPad has to go through an entire authentication again and map properly. Might also look to see if your wireless has the ability to setup a session-timeout to force it to reauthenticate again. Cisco as an example you could set this up on the wireless profile policy.

Re: Agentless USER-ID timeout

TomYoung — Wed, 22 May 2024 22:28:32 GMT

What @BPry is suggesting is a good approach. You can configure a session timeout on the SSID or a re-authentication timeout on the RADIUS server, e.g. Cisco ISE. This will force the client to re-authenticate. These timers and your User-ID cache timeout should be similar.

Re: Agentless USER-ID timeout

MichaelSeddon — Thu, 23 May 2024 04:45:49 GMT

Hi Guys,

Thanks for the suggestions, I have figured out the issue however not sure how to fix it.

So when an ip address is renewed when the dhcp lease runs out there is no logs for this on my access point so the user-id never gets notified.

This has only really been an issue for our ipads as they always stay connected.

Anyone else had an issue similar to this?