CATALYST 9800 CONFIG RECOMM
Let me update this thread with some notes from my latest investigations with client disconnections (Windows). The problem from a WLAN engineer's perspective is that normally this part is not taken into account, as it is on the WinTel team side and it's hard to influence decisions on them. Same happen with tuning driver parameters regarding roaming aggresiveness, preferred band and some others that maybe available in all operating systems.
Take into consideration that this is my recommendation based on timer values in Cisco’s Best Practices, and some others have been tuned to address some known issues with drivers (like GTK issue seen with Mediatek WiFi6 chipsets).
Please feel free to add any comment or any recommended value from other best practices, or add same parameters for other operating systems such as MacOs or Linux.
CATALYST 9800 CONFIG:
// Number of retries in the event of not receiving counterpart from device
wireless security dot1x eapol-key retries 2
!
// Period in milliseconds between consecutive retries
wireless security dot1x eapol-key timeout 1000
!
// This setting is governed from the WLAN infrastructure and shared with the client so there is no counterpart in Windows profile
wireless security dot1x group-key interval 54000
!
// Number of retries to ask for Identity to the client once RADIUS server has initiated the authentication
wireless security dot1x identity-request retries 2
!
// Period in seconds when the WLAN infrastructure expires an ongoing authentication so to retry
wireless security dot1x identity-request timeout 30
!
// Number of retries before the WLAN infrastructure expire an ongoing authentication process so the client device starts a new one upon restoring connectivity
wireless security dot1x request retries 2
!
// Period in seconds when the WLAN infrastructure expires an ongoing authentication so the client needs to restart with full authentication
wireless security dot1x request timeout 30
!
// Period in seconds when the current session is removed from the WLAN infrastructure and triggers a new full authentication in the client device. Ideally this setting should match at both ends to avoid any part from expiring the current session.
session-timeout 54000
!
// Period in seconds that a client is held into the exclusion list due to credential failure (this could be due to expired certificate, or new device not provisioned yet, lack of certificate or not registered in the AD)
exclusionlist timeout 180
!
COUNTERPART IN WINDOWS (to be modified through GPO, or manual settings the WLAN profile):
// Advanced Settings:
Max Eapol-Start Msgs = 2 ==> This values matches WLAN infra eapol-key retries
Held Period (seconds) = 180 ==> This values matches WLAN infra exclusionlist timeout
Start Period (seconds) = 1 ==> This values matches WLAN infra eapol-key timeout
Auth Period (seconds) = 30 ==> This values matches WLAN infra request timeout
!
// Fast Roaming Settings:
Enable Pairwise Master Key (PMK) Caching = Enabled
PMK time to Live (Minutes) = 900 ==> This values matches WLAN infra session-timeout of 54000 secs
Number of Entries in PMK Cache = 128
This network uses pre-authentication = Disabled
https://community.cisco.com/t5/wireless/c9800-session-timeout-timer/td-p/4646389 (JPavonM)