- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
ClearPass RADIUS session-timeout for web auth vs. mac auth
ClearPass RADIUS session-timeout for web auth vs. mac auth
08-14-2013 04:09 PM
Hello,
Do Aruba Mobility controllers not honor session-timeout attributes returned from CPPM when successfully authenticated via MAC Auth?
Here is my scenario. First, I authenticate via web auth, and I have an enforcement profile set to return a RADIUS attribute session-timeout value of 60 seconds. When running the "show user" on my controller, I can see "reauth: 60," and after 60 seconds, my wireless device reauths.
Name: doej, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00 Authentication: Yes, status: started, method: Web, protocol: PAP, server: ClearPass Bandwidth = No Limit Bandwidth = No Limit Role Derivation: Aruba VSA VLAN Derivation: unknown Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0 Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0 Flags: internal=0, trusted_ap=0, l3auth=1, mba=1 Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0 Auth fails: 0, phy_type: g-HT, reauth: 60, BW Contract: up:0 down:0, user-how: 1 Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0 Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0 Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393) Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a Current Role name: employee, role-how: 7, L2-role: clearpass-portal-logon, L3-role: employee Essid: Organization, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT RadAcct sessionID:doej58671ADBC442-199 RadAcct Traffic In 412/107593 Out 355/159220 (0:412/0:0:1:42057,0:355/0:0:2:28148) Timers: ping_reply 0, spoof reply 0, reauth 277653068 Profiles AAA:Organization-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:'' ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1 IP Born: 1376519708 (Wed Aug 14 18:35:08 2013) Core User Born: 1376519706 (Wed Aug 14 18:35:06 2013) Upstream AP ID: 0, Downstream AP ID: 0 DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0 Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5
At this point my wireless device tries to reauth using MAC auth. My enforcement profile for this is also set to return session-timeout, but instead, you can see the "show user" command lists the value I originally assigned to my employee role on my controller (700 minutes, where it shows "reauth: 42000" below).
Name: 58671adbc442, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00 Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ClearPass Bandwidth = No Limit Bandwidth = No Limit Role Derivation: Aruba VSA VLAN Derivation: unknown Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0 Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0 Flags: internal=0, trusted_ap=0, l3auth=0, mba=1 Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0 Auth fails: 0, phy_type: g-HT, reauth: 42000, BW Contract: up:0 down:0, user-how: 1 Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0 Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0 Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393) Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a Current Role name: employee, role-how: 7, L2-role: employee, L3-role: employee Essid: Trinity, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT RadAcct sessionID:58671adb58671ADBC442-1CF RadAcct Traffic In 63/19489 Out 53/11289 (0:63/0:0:0:19489,0:53/0:0:0:11289) Timers: ping_reply 0, spoof reply 0, reauth 279180852 Profiles AAA:Trinity-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:'' ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1 IP Born: 1376520861 (Wed Aug 14 18:54:21 2013) Core User Born: 1376520861 (Wed Aug 14 18:54:21 2013) Upstream AP ID: 0, Downstream AP ID: 0 DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0 Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5
Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: ClearPass RADIUS session-timeout for web auth vs. mac auth
Re: ClearPass RADIUS session-timeout for web auth vs. mac auth
08-14-2013 08:40 PM
I would recommend that you post this on one of the wireless treads since this thread is mostly monitored by clearpass SEs and users, but I would also include
1. Controller model
2. Firmware
It sounds like CPPM is doing what it is designed to do, you just need to see why the controller isn't honoring it.
I would check to make sure on the aaa profile you have the interval turned on.
Troy
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: ClearPass RADIUS session-timeout for web auth vs. mac auth
Re: ClearPass RADIUS session-timeout for web auth vs. mac auth
08-14-2013 09:27 PM
Hello Troy - I don't seem to have that option. I'm running firmware 6.1.3.6-AirGroup on a 3600 Mobility controller. Thank you.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator