Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass CoA update session timeout on registration

This thread has been viewed 5 times

  • 1.  Clearpass CoA update session timeout on registration

    Posted Jul 21, 2014 09:54 AM

    Hi

    I’m new to clearpass so may have missed something obvious or it’s not possible etc. Basically we have a requirement to provide a guest captive portal with self-sponsor where initial registration grants 15min access (so you can get to your emails) and clicking the self-sponsor link updates this to 3 months.

    I have the basics working, the guest gets 15mins access, clicks the link and clearpass updates their account with +720 day’s expiration. What I can’t seem to get is CoA / RFC 3567 to update the active session so the user does not have to re-login again.

    At the moment the user gets redirected back to the portal after 15mins and when they log back in they get 3 months session timeout in seconds (it’s a large number, may just be the largest WLC will accept).

    CoA is working as I can disconnect users etc from clearpass, Radius accounting is also working correctly as far as I can tell. I have created a policy which will successfully update via CoA the session timeout, I have tested it by enforcing it under the guest authentications service.

    I can’t see anyway of enforcing this profile based on radius accounting or the user clicking the link in the self-sponsor email.

    Any ideas?

    Clearpass version 6.3.4.64924

    Cisco WLC version 7.6.120.0

     

    Thanks in advance

     

    Andy



  • 2.  RE: Clearpass CoA update session timeout on registration
    Best Answer

    EMPLOYEE
    Posted Jul 21, 2014 02:24 PM

    Do you have two services created for the Guest service. One for the initial .1x CP login and the MAC auth for the mac cacheing. 

     

    guestservices.png



  • 3.  RE: Clearpass CoA update session timeout on registration
    Best Answer

    Posted Jul 22, 2014 03:41 AM

    Hi

     

    Thanks for the reply

     

    I wasnt using MAC auth as the customer wants the user to have to log in each time they return to a site so they can use the portal page for advertising, event notification etc as this is being rolled out to libraries it will be the general public connecting.

     

    Is it possible to allow the 15 minute grace period prior to email self sponsor then, MAC authentication for 24 hours but keep the account valid for 3 months so they get 24 hours each time they return to site but not have to re-register again?

     

    cheers

     

    Andy



  • 4.  RE: Clearpass CoA update session timeout on registration

    Posted Jul 22, 2014 11:29 AM

    Hi

     

    I have resolved this now by using MAC authentication with a MAC expiry of 24 hours. The users account still gets the 15min pre registration / 3 month post registration. They only get redirected to the captive portal once every 24 hours

     

    thanks for the help

     

    Andy