Community Home > Discuss > Technology > Security > ClearPass RADIUS session-timeout for web auth vs. ...

Security

Reply
burbackm
Occasional Contributor I
burbackm

ClearPass RADIUS session-timeout for web auth vs. mac auth

‎08-14-2013 04:09 PM

Hello,

 

Do Aruba Mobility controllers not honor session-timeout attributes returned from CPPM when successfully authenticated via MAC Auth?

 

Here is my scenario. First, I authenticate via web auth, and I have an enforcement profile set to return a RADIUS attribute session-timeout value of 60 seconds. When running the "show user" on my controller, I can see "reauth: 60," and after 60 seconds, my wireless device reauths.

 

Name: doej, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: Web, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 60, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: employee, role-how: 7, L2-role: clearpass-portal-logon, L3-role: employee
Essid: Organization, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:doej58671ADBC442-199
RadAcct Traffic In 412/107593 Out 355/159220 (0:412/0:0:1:42057,0:355/0:0:2:28148)
Timers: ping_reply 0, spoof reply 0, reauth 277653068
Profiles AAA:Organization-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376519708 (Wed Aug 14 18:35:08 2013)
Core User Born: 1376519706 (Wed Aug 14 18:35:06 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

 

 

At this point my wireless device tries to reauth using MAC auth. My enforcement profile for this is also set to return session-timeout, but instead, you can see the "show user" command lists the value I originally assigned to my employee role on my controller (700 minutes, where it shows "reauth: 42000" below).

 

Name: 58671adbc442, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 42000, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: employee, role-how: 7, L2-role: employee, L3-role: employee
Essid: Trinity, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:58671adb58671ADBC442-1CF
RadAcct Traffic In 63/19489 Out 53/11289 (0:63/0:0:0:19489,0:53/0:0:0:11289)
Timers: ping_reply 0, spoof reply 0, reauth 279180852
Profiles AAA:Trinity-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Core User Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

 

Thanks in advance.

Alert a Moderator
Message 1 of 3
3,215 Views
Reply
0 Kudos
MVP
MVP
tarnold

Re: ClearPass RADIUS session-timeout for web auth vs. mac auth

‎08-14-2013 08:40 PM

I would recommend that you post this on one of the wireless treads since this thread is mostly monitored by clearpass SEs and users, but I would also include

 

1. Controller model

2. Firmware

 

It sounds like CPPM is doing what it is designed to do, you just need to see why the controller isn't honoring it.

 

I would check to make sure on the aaa profile you have the interval turned on.

 

screenshot_03 Aug. 14 22.34.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Alert a Moderator
Message 2 of 3
3,195 Views
Reply
burbackm
Occasional Contributor I
burbackm

Re: ClearPass RADIUS session-timeout for web auth vs. mac auth

‎08-14-2013 09:27 PM

Hello Troy - I don't seem to have that option. I'm running firmware 6.1.3.6-AirGroup on a 3600 Mobility controller. Thank you.

 

Alert a Moderator
Message 3 of 3
3,193 Views
Reply
0 Kudos
Search Airheads
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium