Security

Hi All,

 

I have a deployment for a Aruba 3200 with a NPS server (running Windows 2012 and joined to AD) where end-users needs to login via a captive portal using their AD username and password. I don't have ClearPass.

 

I am trying to configure in such as way so that when the end-users logs in, they need not re-enter the AD and password when they logoff their PC or go to lunch. I have tried tuning the "user idle timeout" but this issue remains.

 

 

I want that the users to stay logged in regardless if they go to lunch, turn off or on their PC, logoff or login from Windows. However, if AD password expires then that is understandable.

 

After reading the below threads:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/How-to-do-mac-auth-for-devices-after-the-captive-portal/td-p/137845

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Guest-User-Re-Authentication-Issue/td-p/187138

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Captive-Portal-Reauthentication-Timer/m-p/132073/highlight/true#M9104

 

It sounds like I need MAC caching or some sort but this is available under ClearPass.

 

Is there any workaround I can use to go around this?

Clearpass is the only way to really solve your issue unless you move the clients to a certificate.

Hi Tarnold,

Serious?

How about increasing the Station Ageout Time and User Idle Timeout values to the maximum?

Yes you can increase the session timeout but that is a more of a patch than fix. I have seen that cause more issues than fix the mac cacheing. Some of the wireless guys can talk more on it.

 

The max you can set it is at 15,300 seconds

 

I would not change the station ageout timers. You can play with the user idle timeout but it is not a stable solution for what you're trying to do.

As Troy said, you either need to use ClearPass to setup MAC caching or move to something more secure like EAP-TLS or EAP-PEAP.

Hi guys, Thanks for the feedback. I need to find a workaround for this little problem of mine. Just wondering if I can do this workaround: 1. If I am getting this correctly, if I were to go about creating local users on the controller's local database instead of going through my RADIUS or NPS server. Then on each users created, I was being suggested to set those users account expiry to a later date. I see that there is a 'maximum expiration' and 'expiry' under each user attribute. Correct me if I am wrong, will this influence the frequency of users logging into the captive portal?

Hi guys, I understand ClearPass is needed. But I am hoping for some kind inputs and suggestions to this. As of now, it is apparent that having the MAC address of the user's PC is required on the controller. Is there any way that when a user logs into the captive portal, is there a way to capture their mac address and manipulate it to my use?

---

@tvliew wrote:
Hi guys, Thanks for the feedback. I need to find a workaround for this little problem of mine. Just wondering if I can do this workaround: 1. If I am getting this correctly, if I were to go about creating local users on the controller's local database instead of going through my RADIUS or NPS server. Then on each users created, I was being suggested to set those users account expiry to a later date. I see that there is a 'maximum expiration' and 'expiry' under each user attribute. Correct me if I am wrong, will this influence the frequency of users logging into the captive portal?

---

that has no influence on the login on the portal, that affects how long the account can be used.

 

i understand your problem, but there simply is no way to solve this without to do Mac caching somewhere.

Thanks guys for the inputs. I'm closing this case.