Tuesday, June 18, 2013

Wireless Timeout Settings

It's been over a year since my last blog post...  Not good.

I'm back again, however, listing some of the timeout settings that can cause issues on WLANs.  There are five infrastructure timeout values that may affect users who connect to a WLAN, depending on how and where they are connecting.  These are:

1.       Arp Time to Live
Deletes ARP entries on the WLC for the devices learned from the network.  Increasing this timeout increases the CPU load and distorts statistics for the number of simultaneous users.  The default value is 300 seconds (5 minutes).  The command applies to all WLANs on the WLC.  Configured at Controller > General > ARP Timeout.

2.      Session Timeout
When a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is de-authenticated by the WLC. The client has to re-authenticate and re-associate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away. Increasing the user idle timeout utilizes more RAM on the WLC and will make the WLC client database less accurate.  Default is 300 seconds (5 minutes).  The command is specified per WLAN.  Configure at WLANs > WLAN ID > Advanced > Enable Session Timeout.

3.      User Idle Timeout
This setting is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. Increasing the user idle timeout utilizes more RAM on the WLC and will make the WLC client database less accurate.  Default is 1800 seconds (30 minutes).  The command applies globally to the WLC.  Configured at Controller > General > User Idle Timeout.

4.      Broadcast Key Interval
When a user connects to the WLAN, they receive a broadcast key.  If 802.1x authentication is in place, this key allows for encryption of broadcast/multicast traffic to the client.  Increasing the timer has a slightly detrimental effect on WLAN security, as a nefarious user who manages to decrypt the key would gain access to a larger data set.  Default is 3600 seconds (1 hour).  This setting applies to all WLANs on the WLC.  Configured via CLI: config advanced eap bcast-key-interval x, where x is a value between 120 and 86400.

5.      DHCP Lease Time
The DHCP lease specifies the amount of time a given client may utilize a dynamically assigned IP address.  Increasing the value can create DHCP scope depletion, where all IP addresses in the scope are assigned to clients even though those clients are no longer active on the network.   Default on Cisco routers/switches is 1 day.  This applies to all clients on the scope.

In addition, other timeouts need to be considered:

6.      Device Timeout
All WLAN client devices have their own settings for determining when and how to disassociate from a WLAN or disable their wNIC.  This is normally done to conserve battery power and/or increase device security.  These default values are device-dependent.

7.      Other Timeouts
There are many other timeout values that can affect the wireless user experience.  Among these are VPN timers, RADIUS timeout values (when utilizing 802.1x), and various client application settings (browser timeouts, sleep settings, power settings, etc.).  Determining the exact cause of a timeout for a specific group of users may require consideration of these values.

Labels: , , , , , , , ,