Security

Reply
Contributor I
Posts: 27
Registered: ‎05-20-2013

Clearpass - Guest session timeout / re-connection problem

We have a fairly standard Clearpass Guest configuration and 10 IAPs.

 

Captive portal guest authentication works very well but we are having a real problem with sessions seemingly being dropped after relatively short periods of inactivity. Guests come to our site, get a login (either created manually or self-registration with sponsor approval), and get their iphone or ipad online. But when they put their device down for 10-15 minutes and come back to it, they find  there is no longer a connection.

 

Often they either have to select the wireless network again from scratch, and/or type in their clearpass login (or, if they didn't make a note of their password, go through the self-registration process again).

 

I'm aware some of this depends on the device (iOS has auto-connect and auto-login settings for wireless networks that require authentication) but even with those options selected, the process is far from reliable.

 

Simple question, is this a basic limitation of captive portal guest authentication in general, or should the user experience be better? Ideally, if we assign a guest account valid for 8 hours, we'd like the device to be seamlessly connectable for roughly that period - even if the device is not contantly is use.

 

Is there anything I can adjust on the Instant APs or clearpass to improve things?

 

 

 

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Clearpass - Guest session timeout / re-connection problem

 

Is this only happening to certain devices or it happens to everybody ?

 

Have you changed the reauth interval ?

 

Instant - Google Chrome_2013-08-01_11-09-16.png

 

Is also possible that it an issue on a particular IAP OS according to this thread:

 

http://community.arubanetworks.com/t5/Access-Points-and-Mesh-Routers/Captive-Portal-issue/td-p/29062/page/2

 

What IAP OS do you have installed ?

 

If you have the latest OS then I suggest you open a TAC case

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Clearpass - Guest session timeout / re-connection problem

That setting will definitely help but also consider doing MAC-auth as well which ClearPass can link to the guest registration.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor I
Posts: 27
Registered: ‎05-20-2013

Re: Clearpass - Guest session timeout / re-connection problem

Thank you both for your replies and advice.

 

After some more experimentation I think I may have found a cause of the problem.

 

We have a preauthentication role for guests that is limited to http and https access to the Clearpass IP only.

Once authenticated the client falls into a "Guest" role that completely locks them out of all IP ranges used internally. Critically, this included the Clearpass device itself.

 

I've just added a new rule above at the top of the access list, allowing traffic to Clearpass. Clients now seem to keep their connection, even if the device is not used for a while.

 

 

Contributor I
Posts: 27
Registered: ‎05-20-2013

Re: Clearpass - Guest session timeout / re-connection problem

Contary to my last post on this, I'm not confident this was the cause of the problem. We are still seeing wireless guest users losing their sessions after relatively short periods of inactivity and being redirected to captive portal to login again.

 

Found this similar problem on an older version of Clearpass 3.9.

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Default-Session-Timeout-Option/td-p/51364

 

The solution talks about "MAC caching". In 6.2 this options looks a bit more complicated.

 

Can anyone advise whether MAC caching is likley to be useful in stopping sessions from timing out? And if so, how best to do it?

Search Airheads
Showing results for 
Search instead for 
Did you mean: