10-10-2012 11:26 AM - edited 10-10-2012 11:31 AM
We a have a large Instant deployment at a school district. The main SSID has "force machine authentication" enabled.
Pass machine Auth = mahine_rest_role
Pass User Auth = user_restricted_role
Pass both and you get the default role for the SSID which is basically "all all".
The issue is the "inactivity timeout" option for the SSID won't allow above 3600 seconds. So, what we are seeing is users being dropped into the "user_restricted_role" when they shut their laptops, or step away or lunch, or class, or a meeting. This then requires them to log off and then back on to get full access to the network again.
Also, this is 802.1x using RADIUS via Microsoft NPS.
A. Why is the "Inactivity Timeout" limited to 3600 seconds?
B. There needs to be a machine Auth cache timeout setting like there is on the controllers.
Aruba has made a big deal of making Instant ready for the "Enterprise", but this seems a bit a an oversight for an "Enterprise" solution.
We're offering the as the solution for K-12 which is full of users that are hopping on an off their machines all day - not sitting at there desks for hours at a time like in many corporate settings.
There needs to be a proper solution for this.
Anyone else experiencing this issue with K-12 deployments? Any solutions you've come across?
Principal at CommunicaONE Inc
ACCP / ACMX #365 / CWNE #160
On the Twitters @HeyEddie ¯\_(ツ)_/¯
10-10-2012 12:19 PM
You can configure the machines via group policy to ONLY submit their machine credentials.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs