We are running inband 4.6.1 but have seen similar things and we have a case open with Cisco. It's related to the powersave modes of these small devices and/or the various nuances of how these PDA devices operate and manage connections...the devices disable the wireless card to save power if idle, for example, so when they do that, CCA sees that as a log off, and when they wake up, it makes them log in again. Cisco said it's really a client side issue, that is, the user shouldn't let the device go idle and disable the wifi in the process, so it's also a user behavior issue too. We are still pushing to see what else Cisco knows.
We are looking at the various timers, and in particular under "User Management" --> "User Roles" --> "Schedule" --> "Heartbeat Timer". According to Cisco, there's 3 timers to work with: Session Timer, Heartbeat Timer, Certified Device Timer. In particular, configuring the Heartbeat Timer will boot the PDA user's connection for good at the 30 min mark if you've got that set for 30 min, or whatever time you choose, but we're not sure if that means that if the user goes idle and CCA doesn't see them as logging off (for whatever reason), then it actually preserves that session, which is what we'd want, thus keeping the users from having to log in over and over in a day because their device goes idle while they are doing something else. When it comes to session issues like this, you also have to consider what you have available in your DHCP pool...if want want to allow sessions to stay open, that could impact the number of DHCP leases you have available for other users. Don't know if this helps at all, but good luck. -Aaron On Mon, Aug 9, 2010 at 2:24 PM, Branden Kirk <[email protected]>wrote: > We just started using NAC 4.8 Out-of-band Virtual Gateway and applied NAC > to our encrypted > SSID running on WCS/WLC 6.0 with 1142/1131 LWAPs. This is our first use > off NAC 4.1 and also > deploying OOB. We seem to have a problem, especially on mobile devices > like the iPhone, where > each session is requiring the device to re-auth regardless of being on the > CDL. Creating a device > filter as a workaround works. I'm having trouble finding the root issue as > it seems not all users of > the same device type have the issue. For instance, I have an iPhone 4 user > who gets locked in a > safari page titled "Log In" showing the apple.com site, but none of that > behavior on another iPhone > 4. Re-auth and page re-direction seems to happen more for some iPhone 3GS > users than others. > I've seen my macbook re-auth me after waking from sleep last week, but > today none of the > behavior exists. We have had the OOB port profile option "Change to Access > VLAN if the device is > certified but not in the out-of-band user list" set this whole time but > have still had this issue on > wireless. None of the disconnect options for port profile are enabled. > > Any ideas? Anyone encounter an issue similar to this experience or know > what the root > cause/solution could be? I'm making a TAC case, but thought I'd hit this > list as well. > > Thanks in advance. > > -- > Branden Kirk > Network Administrator, IT Operations > Biola University > (562)944-0351 x5032 > -- Aaron Abitia Network Analyst Network Administration, ITS Cal Poly State University Tel: 805.756.1295
