Timeout setting on Wireless LAN Controller

In this post we will the check the specific timeout on WLC. I did some test on idle timeout and session timeout.
Let’s see how it works and what does it means:
Session Timeout
Session timeout is a value that forces a re-auth when the timer expires. This value starts copying down when the client is authenticated.
The Session Timeout is the maximum time for a client session with the WLC. After this time, WLC de-authenticates the client, and the client goes through the whole authentication (re-authentication) process again. This is a part of a security precaution to rotate the encryption keys. If we use an Extensible Authentication Protocol (EAP) method with key management, the rekeying occurs at every regular interval in order to derive a new encryption key. Without key management, this timeout value is the time that wireless clients need to do a full re-authentication. The session timeout is specific to the WLAN.
How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to WLAN > WLAN ID > Advanced

By default session timeout set to 1800sec, we can also uncheck this box or change the timeout value to bigger one. The session timeout can be configured as per WLAN, from 300~86400 seconds.
When the session timeout is being triggered, the PMK cache will be removed, and the client will have to do the authentication again.
Configurable session timeout range is:
• 300-86400 for 802.1x.
• 0-65535 for all other security types.
If we configure session timeout as 0, it means disabling session-timeout, in case of open system, and 86400 seconds for all other system types.

Via CLI:

 (WLAN1) >config wlan session-timeout ?
 <WLAN id> Enter WLAN Identifier between 1 and 16.
 (WLAN1) >config wlan session-timeout 8 ?
 <seconds> The duration of session in seconds (0 = infinity is true only for open system).
 (WLAN1) >config wlan session-timeout 8 65535

User Idle Timeout

The user idle timeout is a global parameter for controller. If the AP/WLC does not receive any packets from the client, after a certain period of time, the client entry will be deleted or when a user is idle without any communication with the LAP for the amount of time set as User Idle Timeout, the client is de-authenticated by the WLC. The client has to re-authenticate and re-associate to the WLC. It is used in situations where a client can drop out from its associated LAP without notifying the LAP. This can occur if the battery goes dead on the client or the client associates move away.
Increasing the user idle timeout utilizes more RAM on the WLC and will make the WLC client database less accurate. Default is 300 seconds (5 minutes).
The user idle timeout can be configured from 15~100000 seconds.

How to configure or change this value:
Via GUI:
Log in WLC GUI. Go to Controller > General > User Idle Timeout

Idle Timeout


Via CLI:

Here is very simple way to configure by command line.

(WLAN1) >config network usertimeout ?
 <seconds> Recommended user idle timeout in seconds between 90 and 100000. Range <15 - 100000>. Default is 300
(WLAN1) >config network usertimeout 86400

ARP Timeout

The ARP Timeout is used to delete ARP entries on the WLC for the devices learned from the network.
Increasing this timeout increases the CPU load and distorts statistics for the number of simultaneous users. The default value is 300 seconds (5 minutes). The is a global parameter for controller.
How to configure it..

Via GUI:
Log in to WLC GUI, then go to Controller > General > ARP Timeout.

ARP Timeout
Via CLI:

Very easy way by CLI:

(WLAN1) >config network arptimeout ?
 <seconds> The ARP entry timeout in seconds. Min is 10, Default is 300
(WLAN1) >config network arptimeout 86400

So it is very important to design and configure the proper value for these timeout parameters otherwise you face the problem of re-Logining every after 5 minute.


16 thoughts on “Timeout setting on Wireless LAN Controller

  1. Hi,
    As per my understanding” When a client try to authenticate/asociate on a WLAN and within this time period it must pass it otherwise you will see an error.”


  2. ok… umm what times do you recomend match? I mean, We have a timeout of DHCP (because we use an DHCP giving from the WLC) we use a timeout of use session on SSID and two time out that you comment on your post and the last of my doubt… so…
    any timeouts have to match from eachother or every ones working independently?

  3. how do i manage users accessing my WLC. like for example i want to set only an hour of access to the internet per day. after the user consumed 1 hour, the user can access again on the next day.

  4. Thanks for the article
    if we debug client mac address in the wlc , i got sometihing like below
    Ms Timeout = 160, Session Timeout = 65595
    What is Ms timeout ?

  5. Hi, It all makes sense now. My question is, our offices is set to 300 secs, but it times out every 30 mins when streaming a video. how is that? is not supposed to time out every 5 mins?

    1. Login to WLC , go to SECURITY > AAA > User Login Policies and allows you to specify the the maximum number of concurrent logins for a single client name.


  6. Hi

    Is their a way i can configure my wireless lan controller that lets say after 19:00 it should stop working and then start working 7 in the morning ?

  7. Hi

    I just came across this interesting blog while researching how the session timer exactly works. Your explanation is really good and makes total sense. I have one question though about the statement that clients need to do a full re-authentication without a AKM in place. Can you explain this in more detail? Under which settings would this apply?

    Thanks, Christian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s