ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 31
Registered: ‎07-29-2010

guest access idle time

Hi guys,

Is it possible to change the time in which a user is logged off if idle.
It currently looks to be set at about 10-15 minutes, is it possible to change this?

This is for our guest SSID.

Thanks,
Dave
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Set to 5 Minutes

By default it is set to 5 minutes or 600 seconds, which means if a user does not pass traffic for 5 minutes, the user is pinged once ever minutes for 4 minutes. If the user still does not respond, the user is removed from the user table and must reauthenticate the next time he/she connects. From the Aruba knowedgebase verbatim (support.arubanetworks.com):

"aaa timer idle-timeout "- this is the timer for the datapath to detect if there is no more new sessions nor traffic initiated for a user record. When the time has come, it will signal the control plane "authmgr" to ping the client. The ping is three consecutive checks with 1 sec interval. If there is no ping response, you should issue an "aaa user delete w.x.y.z" command to clean up the user record. If the client can reply, the user record is kept for another round of idle timer."

You can see what it is by doing the following:

(3600.arubanetworks.com) #show aaa timers 

User idle timeout = 300 seconds <------------------
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes


You can change it by doing the following:

config t
aaa timer idle-timeout

Keep in mind, that this affects ALL users, so that if you increase it to, say 30 minutes, you will have a large number of users in the table that have not connected or even sent traffic for 30 minutes, reflected as still being there.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎12-08-2009

Re: guest access idle time

Colin,

Is there a way to set role based timeouts?

Thanks
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Global

For now, it is a global parameter. If you are doing 802.1x or encryption on your clients, this timer matters little, because the supplicant on the device determines how seamless the connectivity will be when a device roams back or wakes up. That timer mainly determines how long have we not seen traffic that we will maintain a client session on the controller before the user has to login again. With 802.1x, the supplicant automates this, so it is not an issue. With a captive portal network, however, the user has to login manually.

The side effect of raising this timer is that you will have an inflated count of users that have long since gone away, but are still in the table. Alot of people change the timers but end up going back to the defaults. Individual requirements may prompt you to change it, however.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 13
Registered: ‎07-01-2010

Re: guest access idle time

Hey Colin,

I thought that the probe request/response should do it with the idle timer, so i've got a few questions :confused::


  • Why do is it end up with sending icmp packets?
  • What if the machine firewall is turned on and it doesn't reply to the icmp requests?
  • Does the configured ACL affect this in case icmp is dropped?


thanks,

Fehmi.
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: guest access idle time

The mechanism tries to ping and it looks for the client passing traffic. Please see here: http://kb.arubanetworks.com/cgi-bin/arubanetworks.cfg/php/enduser/std_adp.php?p_faqid=460

Pings can be blocked, but it always looks for traffic being initiated by the client. If it sees no traffic after 5 minutes, it will attempt to ping the client.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 13
Registered: ‎07-01-2010

Re: guest access idle time

Right, i did check the post, but how about this one:

http://kb.arubanetworks.com/cgi-bin/arubanetworks.cfg/php/enduser/popup_adp.php?p_faqid=163&p_created=1232068614

And i'm running 3.4.3.x...

It's supposed to probe with ARPs only and no ICMP, yet, the pinging mentioned in the KB article you referenced is happening.
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: guest access idle time

That article may be out of date. Let me check.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎04-23-2010

Re: guest access idle time

I'm having a similar issue. A guest user who VPNs into their corporate network is disconnected after the idle time out expires. Because of their VPN client, they do not respond to ping. The controller sees traffic from the VPN adapter IP and not the authenticated client IP, therefore, the controller does not see traffic from the client and times them out.
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: guest access idle time

What version of code?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: