Security

Reply
Occasional Contributor I
Posts: 9
Registered: ‎03-25-2013

ClearPass RADIUS session-timeout for web auth vs. mac auth

Hello,

 

Do Aruba Mobility controllers not honor session-timeout attributes returned from CPPM when successfully authenticated via MAC Auth?

 

Here is my scenario. First, I authenticate via web auth, and I have an enforcement profile set to return a RADIUS attribute session-timeout value of 60 seconds. When running the "show user" on my controller, I can see "reauth: 60," and after 60 seconds, my wireless device reauths.

 

Name: doej, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: Web, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 60, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: employee, role-how: 7, L2-role: clearpass-portal-logon, L3-role: employee
Essid: Organization, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:doej58671ADBC442-199
RadAcct Traffic In 412/107593 Out 355/159220 (0:412/0:0:1:42057,0:355/0:0:2:28148)
Timers: ping_reply 0, spoof reply 0, reauth 277653068
Profiles AAA:Organization-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376519708 (Wed Aug 14 18:35:08 2013)
Core User Born: 1376519706 (Wed Aug 14 18:35:06 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

 

 

At this point my wireless device tries to reauth using MAC auth. My enforcement profile for this is also set to return session-timeout, but instead, you can see the "show user" command lists the value I originally assigned to my employee role on my controller (700 minutes, where it shows "reauth: 42000" below).

 

Name: 58671adbc442, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 42000, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: employee, role-how: 7, L2-role: employee, L3-role: employee
Essid: Trinity, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:58671adb58671ADBC442-1CF
RadAcct Traffic In 63/19489 Out 53/11289 (0:63/0:0:0:19489,0:53/0:0:0:11289)
Timers: ping_reply 0, spoof reply 0, reauth 279180852
Profiles AAA:Trinity-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Core User Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

 

Thanks in advance.

Aruba
Posts: 1,545
Registered: ‎06-12-2012

Re: ClearPass RADIUS session-timeout for web auth vs. mac auth

I would recommend that you post this on one of the wireless treads since this thread is mostly monitored by clearpass SEs and users, but I would also include

 

1. Controller model

2. Firmware

 

It sounds like CPPM is doing what it is designed to do, you just need to see why the controller isn't honoring it.

 

I would check to make sure on the aaa profile you have the interval turned on.

 

screenshot_03 Aug. 14 22.34.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Posts: 9
Registered: ‎03-25-2013

Re: ClearPass RADIUS session-timeout for web auth vs. mac auth

Hello Troy - I don't seem to have that option. I'm running firmware 6.1.3.6-AirGroup on a 3600 Mobility controller. Thank you.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: