Security

Good day,

 

We are experiencing intermittent issues with our RSSO service set up between Clearpass and Fortigate firewalls. We get about 20 (of about 300) users a day that does not get RSSO, usually after lunch when the users went out and came back into the building.

 

We have found that usually these users have a short connectivity time on the mobility controllers but have not authenticated to Clearpass for RADIUS authentication (No corresponding entry in the Access Tracker). If we delete the user from the controller using the "aaa user delete mac ... " command we get an entry in the access tracker and the user gets RSSO on the Firewall.

 

We have disabled OKC for the SSID, and also send the accounting information directly from the controller as well, but none of these changed the situation.

 

Any suggestions?

What's the value of your "Logon User Lifetime" found under Authentication -> Advanced??

David,

 

Thank you for the reply.

 

Logon User Lifetime is set to 5 minutes (default value)

 

Kind Regards,

Albie

How about the "User idle timeout" setting under the AAA profile for your particular service.

If it is not already, you could try enabling this and setting the value to 0 so that entries are deleted upon disassociation or disconnect.

It's behavior that is fixed configuring: Server configuration > "CPPM server name" > Service Parameters > Policy Server > Additional time before session deletion from mult-master cache > set to 600. (default is 0). It works every time for me.
Original Message:
Sent: May 12, 2016 04:52 AM
From: Coenraad Mouton
Subject: Cearpass to Fortigate RSSO issue

Good day,

 

We are experiencing intermittent issues with our RSSO service set up between Clearpass and Fortigate firewalls. We get about 20 (of about 300) users a day that does not get RSSO, usually after lunch when the users went out and came back into the building.

 

We have found that usually these users have a short connectivity time on the mobility controllers but have not authenticated to Clearpass for RADIUS authentication (No corresponding entry in the Access Tracker). If we delete the user from the controller using the "aaa user delete mac ... " command we get an entry in the access tracker and the user gets RSSO on the Firewall.

 

We have disabled OKC for the SSID, and also send the accounting information directly from the controller as well, but none of these changed the situation.

 

Any suggestions?