Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass RADIUS session-timeout for web auth vs. mac auth

This thread has been viewed 14 times

  • 1.  ClearPass RADIUS session-timeout for web auth vs. mac auth

    Posted Aug 14, 2013 07:09 PM

    Hello,

     

    Do Aruba Mobility controllers not honor session-timeout attributes returned from CPPM when successfully authenticated via MAC Auth?

     

    Here is my scenario. First, I authenticate via web auth, and I have an enforcement profile set to return a RADIUS attribute session-timeout value of 60 seconds. When running the "show user" on my controller, I can see "reauth: 60," and after 60 seconds, my wireless device reauths.

     

    Name: doej, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: Web, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 60, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: employee, role-how: 7, L2-role: clearpass-portal-logon, L3-role: employee
Essid: Organization, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:doej58671ADBC442-199
RadAcct Traffic In 412/107593 Out 355/159220 (0:412/0:0:1:42057,0:355/0:0:2:28148)
Timers: ping_reply 0, spoof reply 0, reauth 277653068
Profiles AAA:Organization-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376519708 (Wed Aug 14 18:35:08 2013)
Core User Born: 1376519706 (Wed Aug 14 18:35:06 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

     

     

    At this point my wireless device tries to reauth using MAC auth. My enforcement profile for this is also set to return session-timeout, but instead, you can see the "show user" command lists the value I originally assigned to my employee role on my controller (700 minutes, where it shows "reauth: 42000" below).

     

    Name: 58671adbc442, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 42000, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: employee, role-how: 7, L2-role: employee, L3-role: employee
Essid: Trinity, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:58671adb58671ADBC442-1CF
RadAcct Traffic In 63/19489 Out 53/11289 (0:63/0:0:0:19489,0:53/0:0:0:11289)
Timers: ping_reply 0, spoof reply 0, reauth 279180852
Profiles AAA:Trinity-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Core User Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

     

    Thanks in advance.



  • 2.  RE: ClearPass RADIUS session-timeout for web auth vs. mac auth

    EMPLOYEE
    Posted Aug 14, 2013 11:41 PM

    I would recommend that you post this on one of the wireless treads since this thread is mostly monitored by clearpass SEs and users, but I would also include

     

    1. Controller model

    2. Firmware

     

    It sounds like CPPM is doing what it is designed to do, you just need to see why the controller isn't honoring it.

     

    I would check to make sure on the aaa profile you have the interval turned on.

     

    screenshot_03 Aug. 14 22.34.gif



  • 3.  RE: ClearPass RADIUS session-timeout for web auth vs. mac auth

    Posted Aug 15, 2013 12:28 AM

    Hello Troy - I don't seem to have that option. I'm running firmware 6.1.3.6-AirGroup on a 3600 Mobility controller. Thank you.