• September 18, 2020, 01:41:45 PM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: WiNG5 Captive portal with 24h timeout  (Read 7361 times)

0 Members and 1 Guest are viewing this topic.

Offline Jakub

  • Jr. Member
  • **
  • Posts: 31
WiNG5 Captive portal with 24h timeout
« on: October 14, 2013, 03:54:09 AM »
Hi there
In WiNG4 we have Guest wlan with hotspot which hold session up to 24h .. so user need log in first day and when he use it then he don't need put his credentials for whole week. All is great in it. But now we need move to WiNG5 and I am not able to achieve same situation. Some devices are forced for credentials couple times per day, some not  >:(. There is our config part:

wlan-qos-policy Guest
 classification low
 classification non-wmm low
 classification non-unicast low
 qos trust dscp
 qos trust wmm
!
aaa-policy Self
 authentication server 1 onboard controller
 authentication server 1 timeout 10
 accounting server 1 onboard controller
 accounting server 1 timeout 10
 mac-address-format pair-hyphen case upper attributes all
 authentication eap wireless-client timeout 10
!
dns-whitelist Guest
 permit 192.168.42.11 #2nd RFS
 permit 192.168.42.10 #1st RFS
 permit 192.168.42.5 #VRRP IP for RFSs
!
captive-portal Guest
 access-time 7200
 inactivity-timeout 86400
 server host 192.168.42.5
 server mode centralized
 simultaneous-users 10
 terms-agreement
 webpage-location advanced
 accounting radius
 use aaa-policy Self
 use dns-whitelist Guest
 webpage-auto-upload
!
wlan Guest
 description Guest Network
 ssid GUEST
 vlan 400 #Guest vlan
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 no client-client-communication
 wireless-client hold-time 86400
 wireless-client inactivity-timeout 86400
 wireless-client vlan-cache-ageout 18000
 accounting radius
 motorola-extensions move-command
 client-load-balancing probe-req-intvl 5ghz 600
 client-load-balancing probe-req-intvl 2.4ghz 600
 wireless-client count-per-radio 50
 use wlan-qos-policy Guest
 use aaa-policy Self
 use captive-portal Guest
 captive-portal-enforcement
 ip arp trust
 ip dhcp trust
!
radius-group User
 guest
 policy vlan 400
 policy ssid GUEST
!
radius-group Visitors
 guest
 policy vlan 400
 policy ssid GUEST
 rate-limit from-air 512
 rate-limit to-air 1024
 policy time start 06:00 end 21:00
!
radius-user-pool-policy Guest
 user user1 password 0 xxx group User guest expiry-time 23:59 expiry-date 12:31:2013 start-time 14:28 start-date 02:20:2013
 user user2 password 0 xxx group Visitors guest expiry-time 13:40 expiry-date 12:31:2013 start-time 13:40 start-date 09:09:2013
!
radius-server-policy Onboard
 use radius-user-pool-policy Guest
 no chase-referral
 nas 192.168.42.0/24 secret 0 xxx
 ldap-server dead-period 0
 use radius-group Visitors
 use radius-group User
 session-resumption lifetime 24 max-entries 1000
!

Captive portal and Radius are on Controllers, Guest DHCP is on Juniper SRX GW. Any advice will be really appreciated.  :P

P.S: From debugging I am not able catch anything more then DOT11-6-CLIENT_DISASSOCIATED: Client 'XX-XX-XX-XX-XX-XX' disassociated from wlan 'Guest' radio 'XX:R1': client initiated (reason code: 8  ) even if i turn on captive-portal and radius debug.

Reason Code 8 is leaving BSS but device is on table next to AP, in this case device is connected (iPhone), authenticated and suddenly said connected to Guest again and ask for credentials without reason (was active used and not in sleep mode).
« Last Edit: October 14, 2013, 04:25:23 AM by Jakub »


Offline quattro

  • Rookie
  • **
  • Posts: 7
Re: WiNG5 Captive portal with 24h timeout
« Reply #1 on: October 14, 2013, 04:31:32 AM »
Hi,
I would start from changing simultaneous-users allowed per MAC to 1, and create new vouchers for testing (do not use old ones). For each client (MAC address) use only one voucher.

Offline Jakub

  • Jr. Member
  • **
  • Posts: 31
Re: WiNG5 Captive portal with 24h timeout
« Reply #2 on: October 14, 2013, 04:53:22 AM »
Well, whole time users use just one device per account even if there is limit 10, so it will not be this case. But I can do that.

Offline newdud

  • Jr. Member
  • **
  • Posts: 30
Re: WiNG5 Captive portal with 24h timeout
« Reply #3 on: October 14, 2013, 07:13:06 AM »
I had a similar issues issue to the original poster, We run Wings 5.4.
Our users were having to re-authenticate every time their smart device went to sleep which was very annoying to the users.

We managed to fix the issues by specifying 'wireless-client hold-time' on the SSID.

I would be interested to know what the final solution is.

Offline Jakub

  • Jr. Member
  • **
  • Posts: 31
Re: WiNG5 Captive portal with 24h timeout
« Reply #4 on: October 15, 2013, 03:05:51 AM »
 ;D
So, i did some testing and changes and after couple of weeks this looks most promising:

wlan Guest
 description Guest Network
 ssid GUEST
 vlan 400 #Guest vlan
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 no client-client-communication
 wireless-client hold-time 86400
 wireless-client inactivity-timeout 86400
 wireless-client vlan-cache-ageout 86400
 motorola-extensions move-command
 client-load-balancing probe-req-intvl 5ghz 600
 client-load-balancing probe-req-intvl 2.4ghz 600
 wireless-client count-per-radio 50
 use wlan-qos-policy Guest
 use aaa-policy Self
 use captive-portal Guest
 captive-portal-enforcement
 ip arp trust
 ip dhcp trust

I extended wireless-client vlan-cache-ageout to 24h and disabled radius accounting. Now we are testing it and we will see.

Offline Harry

  • Rookie
  • **
  • Posts: 11
Re: WiNG5 Captive portal with 24h timeout
« Reply #5 on: November 27, 2013, 10:01:41 PM »
At Motorola AP 6532 (WiNg 5.4):
You can setup at Configuration > Services > Captive Portal > Client Settings > Client Access Time
goodluck..

Offline Jakub

  • Jr. Member
  • **
  • Posts: 31
Re: WiNG5 Captive portal with 24h timeout
« Reply #6 on: January 27, 2014, 10:00:39 AM »
Hi guys
Little update on this:
Issue was in all WiNG5 firmwares from beginning. I did a couple of testing with Motorola and then they fix it in WiNG 5.5.1

If you will try it on previous versions then enable SSID with captive portal only on one band (bgn or an). Issue was when MU switched from one to another band then it lost authentication and asked for new one.
Cheers