Wireless Access

Reply
Frequent Contributor I

Captive portal frequent disconnects

I have a pair of 3400-US controllers running 6.4.2.5 code.  We recently deployed a captive portal SSID to replace our guest wireless network that only had a PSK.  The captive portal network is almost unusable at this point, as it disconnects users frequently while sitting idle at their desks or if they roam.  I can login and pull an ip address, browse the web, and so on.  At another site that is also broadcasting this same captive portal network, there are no complaints.  They have newer 7205-US controllers running 6.4.3.5 code.

 

As soon as I set the phone down for ~5-10 minutes or walk to another side of the building, I have to do one of the following:

 

  1. Re-enter my email address (re-sign in requested to get past the captive portal)
  2. Connect to another SSID, then back to the captive portal

 

I've adjusted various settings to see if we can improve this (perhaps even just once every 4 hours would be fine).  I've also ran debugs trying to see if there are any reasons why the user is disconnected.  So far, we've had little luck changing this problem.  My two suspicions are we are either hitting a bug in 6.4.2.5 code, or our controllers cannot handle the captive portal configuration correctly.


Is there anything we can do to test/debug this further before attempting an upgrade to 6.4.3.5 code?

Wireless newb
Guru Elite

Re: Captive portal frequent disconnects

Which timers did you change?  By default 5 minutes of inactivity would mean you would need to re-login.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Captive portal frequent disconnects

Under the 802.1x profile associated with this ssid, we adjusted the following variables (advised by ArubaTAC):

 

   timer reauth-period 3600

   timer wpa-key-period 3000

   timer wpa2-key-delay 120

   reauthentication

   no opp-key-caching

   validate-pmkid

 

Under the Captive Portal Authentication configuration:

   user idle timeout 43200

 

Under the VAP SSID configuration:
   station ageout time 1000

Wireless newb
Guru Elite

Re: Captive portal frequent disconnects

If you are doing Captive Portal and NOT 802.1x, the following settings have no effect:

 timer reauth-period 3600
   timer wpa-key-period 3000
   timer wpa2-key-delay 120
   reauthentication
   no opp-key-caching
   validate-pmkid

When you say disconnected, you mean someone forced to re-login?  If yes, this is the setting you want:

Under the Captive Portal Authentication configuration:
   user idle timeout 43200

Have you made those changes and you still have problems?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Captive portal frequent disconnects

We are using captive portal with a pre-shared key.  Once the user authenticates with that, they are taken to the captive portal page to enter an email address, and then they are able to browse normally.

 

Yes, we have adjusted the user idle timeout variable to 43200 (the max).  

The issue changes slightly depending on behavior of the device.  If I log my phone in for example, set it down, it will prompt me to re-sign in again within 5-10 minutes.  If I roam, all the while refreshing a page, I eventually will get a prompt saying I am not connected to the internet anymore.  Once I notice this, looking at my wireless settings I may or may not be still connected to the SSID.  Sometimes I am fully disconnected, others I am still connected but suddenly am trying to pull an ip address -- it is during this roaming scenario that I have to connect to a different SSID, then back to the captive portal SSID in order for it to prompt me to re-sign in.

Wireless newb
Guru Elite

Re: Captive portal frequent disconnects

What is the lease time of the user subnet?  One thing to consider when extending the idle timeout, is that your lease time needs to exceed the idle timeout.  If you do not, your users will stay in the user with one ip address, but re-dhcp possibly with a different ip address and will be forced to relogin, because the mac/ip address pair do not match what is in the user table.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Captive portal frequent disconnects

I'm unsure what the lease timer is, but I'd bet it is 86400.  It does not appear that the controller handles dhcp for this network, and I'm not sure what setting to look at to confirm where it relays DHCP broadcasts.  Since we use PSK for this network, it likely doesn't need to contact our radius server.

 

Would the logon user lifetime variable be something to tweak? It is set at 5 minutes.

Wireless newb
Guru Elite

Re: Captive portal frequent disconnects

The logon user lifetime is not something to tweak.  You need to look at any client and do an ipconfig /all to find out what the exact lease time is to rule that out as an issue:

 

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265
   Physical Address. . . . . . . . . : 24-30-99-12-4A-5F
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d040:4d10:e4d9:a242%12(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.174(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Sunday, April 10, 2016 9:05:38 PM
   Lease Expires . . . . . . . . . . : Friday, April 15, 2016 3:05:33 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 258244761
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-3F-A4-14-BC-3F-DB-44-AE-D4


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Captive portal frequent disconnects

   Lease Obtained. . . . . . . . . . : Thursday, April 14, 2016 2:04:36 PM
   Lease Expires . . . . . . . . . . : Friday, April 22, 2016 2:04:36 PM

Looks like it is for 8 days.  I traced the vlan the users are put on, found the gateway on a firewall, and there's a dhcp relay configuration setup pointing to another network's host.  Since our lease time is far greater than the user idle timeout, does that mean there must be something else going on here causing the disconnects?

Wireless newb
Guru Elite

Re: Captive portal frequent disconnects

There could be.  Another issue is, do you have enough leases, since a lease is 8 days?  How big is that subnet and how many users?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: