Agentless USER-ID timeout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Agentless USER-ID timeout

L0 Member

Hello,

 

We have USER-ID setup to get our wifi logs and that is working well for most of our devices however we have an issue where the iPads will initally get a connection but then after timeout period set in User Identification Timeout they remain connected without a username and therefore will have no access. The ipads never drop wifi even when asleep for days at a time so it doesnt trigger another log and I havent been able to get the ipad to drop the wifi connection while asleep.

 

I see there is an option in User-ID to turn off User identification timeout however I feel like that might cause more issues.

 

Any help will be appreciated.

 

 

5 REPLIES 5

L0 Member

Hello,

We have USER ID set up to get our WiFi logs, and it works well for My Indigo Card most devices. However iPads connect initially but lose access after the User Identification Timeout period because they stay connected without re-authenticating. The iPads don't drop WiFi even when asleep, so they don't trigger a new log.

L6 Presenter

@MichaelSeddon wrote:

 

...but then after timeout period set in User Identification Timeout they remain connected without a username and therefore will have no access...

 


After the user-id timeout, they stay connected?  Connected to what?  The WiFi network or the known user for the device stays in the firewall?

 

After the user-id timeout the ip to user-id mapping should be removed from the firewall.  Depending on the hardware platform there's a MP and DP.  So check there.

 

if you're reporting that the user-id timeout is being reached, but expecting the iPad to be disconnected from the WiFi network, that will not happen.  The firewall user-id timeout will have no bearing on being removed from the WiFi network.

Cyber Elite
Cyber Elite

You could probably resolve this by getting the WiFi to deauth the existing session so that the iPad has to go through an entire authentication again and map properly. Might also look to see if your wireless has the ability to setup a session-timeout to force it to reauthenticate again. Cisco as an example you could set this up on the wireless profile policy.

Cyber Elite
Cyber Elite

What @BPry is suggesting is a good approach.  You can configure a session timeout on the SSID or a re-authentication timeout on the RADIUS server, e.g. Cisco ISE.  This will force the client to re-authenticate.  These timers and your User-ID cache timeout should be similar.

Help the community: Like helpful comments and mark solutions.

L0 Member

Hi Guys,

 

Thanks for the suggestions, I have figured out the issue however not sure how to fix it.

 

So when an ip address is renewed when the dhcp lease runs out there is no logs for this on my access point so the user-id never gets notified. 

 

This has only really been an issue for our ipads as they always stay connected.

 

Anyone else had an issue similar to this?

  • 1056 Views
  • 5 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!