Controllerless Networks

Hospitality guests on a IAP 6.5 network are being asked to re-authenticate through the captive portal after getting out of the shower even though inactivity timeout is set to 21600:

wlan ssid-profile {hospitalityPropertyName}

enable

index 1

type guest

essid {hospitalityPropertyName}_Wifi

opmode opensystem

max-authentication-failures 0

vlan 172

auth-server InternalServer

rf-band all

captive-portal internal

dtim-period 1

inactivity-timeout 21600

broadcast-filter arp

dmo-channel-utilization-threshold 90

local-probe-req-thresh 0

max-clients-threshold 64

wlan captive-portal

background-color 6176415

banner-color 16777215

redirect-url "https://www.{hospitalityPropertyName}.com/"

banner-text "{hospitalityPropertyName} Guest Wifi"

terms-of-use "Please read terms and conditions before using Guest Network"

use-policy "=================="

authenticated

Everything works except for guests being asked to re-authenticate in considerably less than 6 hours (21,600 seconds).

What did I miss?

What is your DHCP lease time?  If the user is coming back with a different ip address due to lease expiry, the VC might see the user as a different client.  Your inactivity timeout therefore should match your lease time so that users are not considered a different client when they come back with a different ip address/mac address pair.

DHCP Lease Time is 24 hours. Odd thing is, adding:

SyntaxEditor Code Snippet

 radius-reauth-interval 2880

Seems to have fixed it. What puzzles me, though, is that I was under the impression this would only work if MAC Authentication was also enabled. From the Instant 6.5.0.0-4.3.0.0 User Guide (Page 93):

"When Reauth interval is configured on an SSID performing only L3
authentication (captive portal authentication)—When reauthentication
succeeds, a pre-authentication role is assigned to the client that is in a
post-authentication role. Due to this, the clients are required to go
through captive portal to regain access."

And the same (Page 92):

"When Reauth interval is configured on an SSID performing both L2 and
L3 authentication (MAC with captive portal authentication)—When
reauthentication succeeds, the client retains the role that is already
assigned. If reauthentication fails, a pre-authentication role is assigned
to the client."

Any ideas?

By default there is no reauthentication interval.  If you have one specified, that could be your issue.

EDIT:  To be clear, a reauthentication interval means that the user will be forced to reauthenticate after the time period has elapsed, regardless of if they are currently connected or not.  

Just to be clear, when no reauth interval was specified we were having the problem. Specifying a reauth interval is what seems to have cleared the problem.

I'm just having trouble understanding how, based on what the User Guide says, that it could have without also doing MAC Authentication.

In your partial configuration I do not see mac authentication.  If you are, the username field would be a mac address in the user table.

What role is mac authentication playing in this setup?  Are you just allowing users to "click" to agree?

That's the thing. MAC Authentication is NOT set up. It's not playing ANY role that I know of. Here is the complete {sanitized} configuration:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.06.20 08:35:56 =~=~=~=~=~=~=~=~=~=~=~=
sho run
version 6.5.4.0-6.5.4
virtual-controller-country US
virtual-controller-key 985baa4b011e18df092552c6af3b0e8a86633190c8303b94b6
name {sanitizedHospitalityPropertyInitials}_Wireless
virtual-controller-ip {sanitizedIPAddress}
terminal-access
ntp-server pool.ntp.org
clock timezone none 00 00
rf-band all

allow-new-aps
allowed-ap {sanitizedAP01MAC}
allowed-ap {sanitizedAP02MAC}
allowed-ap {sanitizedAP03MAC}
allowed-ap {sanitizedAP04MAC}
allowed-ap {sanitizedAP05MAC}
allowed-ap {sanitizedAP06MAC}
allowed-ap {sanitizedAP07MAC}
allowed-ap {sanitizedAP08MAC}
allowed-ap {sanitizedAP09MAC}
allowed-ap {sanitizedAP10MAC}
allowed-ap {sanitizedAP11MAC}
allowed-ap {sanitizedAP12MAC}
allowed-ap {sanitizedAP13MAC}
allowed-ap {sanitizedAP14MAC}
allowed-ap {sanitizedAP15MAC}
allowed-ap {sanitizedAP16MAC}
allowed-ap {sanitizedAP17MAC}
allowed-ap {sanitizedAP18MAC}
allowed-ap {sanitizedAP19MAC}
allowed-ap {sanitizedAP20MAC}
allowed-ap {sanitizedAP21MAC}
allowed-ap {sanitizedAP22MAC}
allowed-ap {sanitizedAP23MAC}
allowed-ap {sanitizedAP24MAC}
allowed-ap {sanitizedAP25MAC}
allowed-ap {sanitizedAP26MAC}
allowed-ap {sanitizedAP27MAC}
allowed-ap {sanitizedAP28MAC}
allowed-ap {sanitizedAP29MAC}
allowed-ap {sanitizedAP30MAC}
allowed-ap {sanitizedAP31MAC}
allowed-ap {sanitizedAP32MAC}
allowed-ap {sanitizedAP33MAC}
allowed-ap {sanitizedAP34MAC}
allowed-ap {sanitizedAP35MAC}
allowed-ap {sanitizedAP36MAC}
allowed-ap {sanitizedAP37MAC}
allowed-ap {sanitizedAP38MAC}
allowed-ap {sanitizedAP39MAC}
allowed-ap {sanitizedAP40MAC}
allowed-ap {sanitizedAP41MAC}
allowed-ap {sanitizedAP42MAC}
allowed-ap {sanitizedAP43MAC}
allowed-ap {sanitizedAP44MAC}
allowed-ap {sanitizedAP45MAC}

arm
wide-bands 5ghz
80mhz-support
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
client-aware
scanning

syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless

extended-ssid

user Guest {sanitizedHash} portal
user {sanitizedHospitalityPropertyEntertainmentVenue} {sanitizedHash} portal

user {sanitizedHospitalityPropertyInitials}staff {sanitizedHash} radius

hash-mgmt-password
hash-mgmt-user admin password hash {sanitizedHash}

wlan access-rule TEST
index 0
rule any any match any any any permit

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule {sanitizedHospitalityProperty}
index 3
rule any any match any any any permit

wlan access-rule "{sanitizedHospitalityPropertyBallroom}"
index 4
rule any any match any any any permit

wlan access-rule {sanitizedHospitalityPropertyInitials}staff
index 5
rule any any match any any any permit

wlan access-rule {sanitizedHospitalityPropertyEntertainmentVenue}
index 6
rule any any match any any any permit

wlan ssid-profile TEST
enable
index 0
type guest
essid TEST
wpa-passphrase {sanitizedHash}
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 172
rf-band all
captive-portal internal
hide-ssid
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile NapaRiverInn
enable
index 1
type guest
essid {sanitizedHospitalityProperty}_Wifi
opmode opensystem
max-authentication-failures 0
vlan 172
auth-server InternalServer
rf-band all
captive-portal internal
dtim-period 1
inactivity-timeout 14400
broadcast-filter arp
radius-reauth-interval 2880
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile "{sanitizedHospitalityPropertyBallroom}"
enable
index 2
type guest
essid "{sanitizedHospitalityPropertyBallroom}_Wifi"
opmode opensystem
max-authentication-failures 0
vlan 172
auth-server InternalServer
rf-band all
captive-portal internal
hide-ssid
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile {sanitizedHospitalityPropertyInitials}staff
enable
index 3
type employee
essid {sanitizedHospitalityPropertyInitials}staff
opmode wpa2-aes
max-authentication-failures 10
vlan 100
auth-server InternalServer
rf-band all
captive-portal disable
l2-auth-failthrough
hide-ssid
dtim-period 1
broadcast-filter arp
enforce-dhcp
radius-reauth-interval 2880
blacklist
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile {sanitizedHospitalityPropertyEntertainmentVenue}
enable
index 4
zone {sanitizedHospitalityPropertyEntertainmentVenue}
type guest
essid {sanitizedHospitalityPropertyEntertainmentVenue}
opmode opensystem
max-authentication-failures 0
vlan 172
auth-server InternalServer
rf-band all
captive-portal internal
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24

wlan captive-portal
background-color 6176415
banner-color 16777215
redirect-url "https://www.{sanitizedHospitalityProperty}.com/"
banner-text "{sanitizedHospitalityProperty} Guest Wifi"
terms-of-use "Please read terms and conditions before using Guest Network"
use-policy "=================="
authenticated

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

blacklist-time 3600
auth-failure-blacklist-time 3600

ids
wireless-containment none
infrastructure-detection-level low

wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x

enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180

airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint

firewall-external-enforcement pan
ip {sanitizedIPAddress}
user iap-admin {sanitizedHash}
disable

clarity
inline-sta-stats
inline-auth-stats
inline-dhcp-stats
inline-dns-stats

cluster-security
allow-low-assurance-devices

HM-2 {sanitizedHospitalityPropertyBallroom} Back#

I would try unhiding the SSIDs to see if it solves your issue.  If a user connects to an SSID and does not force the client to remember the SSID, the client will not attempt to reattach after it goes to sleep.

That is the only unusual thing to me.