AAA, NAC, Guest Access & BYOD

How to configure session timeout for the OnGuard persistent agent?

by ‎11-26-2015 11:03 AM - edited ‎11-26-2015 11:03 AM
Requirement:

Is it possible to configure session timeout for the OnGuard persistent agent and force it to re-post health check with the specified interval?



Solution:

You can configure session timeout for the agent using agent based enforcement to keep the agent performing health check with the specified interval.

 

 

 



Configuration:

Note: This article helps you setup only the agent session timeout. For basic  ClearPass OnGuard configuration, please refer the OnGuard configuration tech note available in the below location.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

Follow the below steps to configure the agent session-timeout.

Create an agent based enforcement profile under Configuration >> Enforcement >> Profiles and specify the session timeout under the Attributes tab as shown below.

 

 

Map the created enforcement profile in the health check(WebAuth) service under Configuration >> Services to enforce the session timeout to the client/agent after the successful health check.

 

 

 

 

 

 

 

 

 



Verification

After the successful health check you will see the session timeout sent to the agent in the Access Tracker output as shown below.

Output Application Attributes -
 AgentSmiley FrustratedessionTimeout = 16200

 

You can see the session timeout enforced in the agent/client log(ClearPassOnGuard_*.log) as shown below.

2015-11-17 07:25:38,218 [Th 00002128] DEBUG OnGuardPlugin.AuthSession - GetEnfProfileAttrs: Auth Attribute: SessionTimeout=16200

 2015-11-17 07:25:38,561 [Th 00002128] INFO  OnGuardPlugin.InterfaceManager - SetState: Moving from WAIT_FOR_CREDENTIALS (2) to AUTH_COMPLETE (3) after 7 seconds

2015-11-17 07:25:38,561 [Th 00002128] INFO  OnGuardPlugin.ActionQueue - Dequeue: AgentController - No pending events in the queue. Waiting for 5000 ms.

2015-11-17 07:25:38,561 [Th 000066e8] DEBUG OnGuardPlugin.BaseClient - Run: BaseClient Thread starting

2015-11-17 07:25:43,714 [Th 00002128] INFO  OnGuardPlugin.ActionQueue - Dequeue: AgentController - No pending events in the queue 00000000040E8420

2015-11-17 07:25:43,730 [Th 00002128] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=DOWN (0) (Seconds in this state=2562) for Junos Pulse

2015-11-17 07:25:43,730 [Th 00002128] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=5) for Local Area Connection

2015-11-17 07:25:38,421 [Th 00002128] INFO  OnGuardPlugin.AuthSession - DoEnforcementActions: Enforcement actions for Local Area Connection: Bounce=0 timeout=16200 secs healthcheckquietperiod=-1 secs' hideretrybutton=0 hidelogoutbutton=0 hidequitoption=0 messages='

 

The AUTH_COMPLETE state in the client log shows the time in seconds since the last health check. The below output from the ClearPassOnGuard_*.log confirms that the client was forced to re-auth/post the health check after the session timeout. 

2015-11-19 15:53:37,960 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16146) for Local Area Connection
2015-11-19 15:53:43,012 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16151) for Local Area Connection
2015-11-19 15:53:48,070 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16156) for Local Area Connection
2015-11-19 15:53:53,122 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16161) for Local Area Connection
2015-11-19 15:53:58,174 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16166) for Local Area Connection
2015-11-19 15:54:03,234 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=16171) for Local Area Connection
2015-11-19 15:54:04,251 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - SetState: Moving from AUTH_COMPLETE (3) to AUTH_SERVER_DISCOVERY (1) after 16172 seconds
2015-11-19 15:54:07,713 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - SetState: Moving from WAIT_FOR_CREDENTIALS (2) to AUTH_COMPLETE (3) after 3 seconds
2015-11-19 15:54:12,764 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=5) for Local Area Connection
2015-11-19 15:54:17,815 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=10) for Local Area Connection
2015-11-19 15:54:22,867 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=15) for Local Area Connection
2015-11-19 15:54:27,918 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=20) for Local Area Connection
2015-11-19 15:54:32,970 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=25) for Local Area Connection
2015-11-19 15:54:38,021 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=30) for Local Area Connection
2015-11-19 15:54:43,073 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=35) for Local Area Connection
2015-11-19 15:54:48,124 [Th 00001de4] INFO  OnGuardPlugin.InterfaceManager - HandleNoOp: NoOp handling in state=AUTH_COMPLETE (3) (Seconds in this state=40) for Local Area Connection

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.