Cisco Wireless LAN timeouts

This is just a quick post to explain the functionality of the timeouts on Cisco Wireless Controllers, the subject is well documented but here is a plain english breakdown of their operation and impact when set incorrectly.

In this example we have an issue with Guest users having to login to Cisco ISE on a regular basis which is causing annoyance.  The cause of this will be down to two timers defined on the Cisco Wireless LAN Controller (Version 7.6 in this case).

Client Idle Timeout - Default 300 seconds

Configurable both globally and now under the WLAN - Timeout triggered after a period of inactivity, more relevant to mobile devices such as iOS (iPhone, iPad) and Android. 
The default idle timeout value of 5 minutes (300 seconds) may be too low for some devices (whilst some applications continually send constant data constantly refreshing the session this may not always be the case).  When a user brings the device out of sleep they are forced to log back in on the ISE web portal.

I have had good results setting this to 1 hour (3600 seconds).

Session Timeout - Default 3600 seconds

Configurable under WLAN - This is an absolute value and if defined here will cause a session reauth once expired, if using RADIUS this trigger an 802.1x reauthentication, if this is a MAB enabled SSID used for CWA this will clear the session and restart the CWA process.  I recommend not enabling this on the WLC but defining it on the ISE (or other RADIUS server).  For example using guest user account time profiles on ISE will send the session timeout in the RADIUS response which forces the WLC to clear down the session after the guest user's period of access is expired. 
If you want to set it statically on the WLC then I recommend a value of 7200 seconds or greater.