Wireless Access

Occasional Contributor II

users not getting cleared by timeout



I have users in the user table that have been there for hours in an unauthenticated role. Is there a way to disassociate these stations after a certain period? I can't seem to find an appropriate value...


I have an 802.1x aaa profile configured with timeout values as follows:


Reauthentication Interval: 24 hrs (default)




show aaa timers:


User idle timeout = 900 second

auth server dead time = 10 minutes

logon user lifetime = 5 mins

user interim stats frequency = 600 seconds


Any ideas?




Contributor I

Re: users not getting cleared by timeout

Hi. After the user idle timeout expires, the controller attempts to contact the client w either an arp or a ping. If it gets a response, it maintains the entry in the user table, regardless of the role. Is it possible that the client is still reachable? Hope this helps. - Jay
Occasional Contributor II

Re: users not getting cleared by timeout

Say a users mobile phone connects to an open ssid whilst in their pocket, and they never go through the captive portal login. I assume they would remain in the association table for as long as they're near the AP, right? 

Contributor I

Re: users not getting cleared by timeout

Unfortunately, that's correct. It's particularly problematic if you're using a security schema which grants an IP address before auth (such as captive portal). In that case, it is possible that your DHCP pool will be exhausted by 'accidental' associations. Some relief can be found by hiding the SSID, which will prevent accidental associations by some devices, but it won't prevent all. Hope this helps! - Jay
Search Airheads
Showing results for 
Search instead for 
Did you mean: