Security

Reply
Occasional Contributor I

Cearpass to Fortigate RSSO issue

Good day,

 

We are experiencing intermittent issues with our RSSO service set up between Clearpass and Fortigate firewalls. We get about 20 (of about 300) users a day that does not get RSSO, usually after lunch when the users went out and came back into the building.

 

We have found that usually these users have a short connectivity time on the mobility controllers but have not authenticated to Clearpass for RADIUS authentication (No corresponding entry in the Access Tracker). If we delete the user from the controller using the "aaa user delete mac ... " command we get an entry in the access tracker and the user gets RSSO on the Firewall.

 

We have disabled OKC for the SSID, and also send the accounting information directly from the controller as well, but none of these changed the situation.

 

Any suggestions?

MVP

Re: Cearpass to Fortigate RSSO issue

What's the value of your "Logon User Lifetime" found under Authentication -> Advanced??

David
ACDX #98 | ACMP | ACCP
Occasional Contributor I

Re: Cearpass to Fortigate RSSO issue

David,

 

Thank you for the reply.

 

Logon User Lifetime is set to 5 minutes (default value)

 

Kind Regards,

Albie

MVP

Re: Cearpass to Fortigate RSSO issue

How about the "User idle timeout" setting under the AAA profile for your particular service.

If it is not already, you could try enabling this and setting the value to 0 so that entries are deleted upon disassociation or disconnect.

David
ACDX #98 | ACMP | ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: