05-12-2016 01:52 AM
We are experiencing intermittent issues with our RSSO service set up between Clearpass and Fortigate firewalls. We get about 20 (of about 300) users a day that does not get RSSO, usually after lunch when the users went out and came back into the building.
We have found that usually these users have a short connectivity time on the mobility controllers but have not authenticated to Clearpass for RADIUS authentication (No corresponding entry in the Access Tracker). If we delete the user from the controller using the "aaa user delete mac ... " command we get an entry in the access tracker and the user gets RSSO on the Firewall.
We have disabled OKC for the SSID, and also send the accounting information directly from the controller as well, but none of these changed the situation.
05-23-2016 09:04 AM
How about the "User idle timeout" setting under the AAA profile for your particular service.
If it is not already, you could try enabling this and setting the value to 0 so that entries are deleted upon disassociation or disconnect.
ACDX #98 | ACMP | ACCP