Security

Reply
jyu
New Contributor
Posts: 2
Registered: ‎06-01-2016

Clients are being asked to repeatedly authenticate on Instant Captive portal

We recently rolled out several Instant deployments throughout the enterprise and we are using an external captive portal for authenticating our guest users at each location.  The authentication component is all working fine.  However, we are receiving reports from users across different offices and geographic regions that after their device has been idling for a while (laptops, Android/iOS), upon resuming usage of the device, they are being redirected to the captive portal for authenication again.

 

We have made tweaks to the inactivity timeout, disabled the option to deauthenticate inactive clients, as well as changing the reauthentication interval (setting it to hours instead of seconds or minutes), but nothing seems to be making any difference.  Anecdotal evidence seems to indicate that a device idling for about an hour would get prompted to re-authenticate again upon "waking" up.  This issue seems most prevalent when users close their laptops to step out for lunch.  Upon returning, they are prompted to authenticate again.

 

We are new to Aruba wireless (formerly had Cisco), so is there anything else we can check or tune to address these issues, or is this normal expected behavior?

Guru Elite
Posts: 8,749
Registered: ‎09-08-2010

Re: Clients are being asked to repeatedly authenticate on Instant Captive portal

What is your external captive portal solution? You need to leverage some
type or pre-authentication to so the IAP knows the user is still valid. With
ClearPass, this is known as MAC-caching.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
jyu
New Contributor
Posts: 2
Registered: ‎06-01-2016

Re: Clients are being asked to repeatedly authenticate on Instant Captive portal

Hi Tim,

 

Thanks for your reply.

 

We are not using ClearPass.

 

We have an IIS webserver presenting a custom portal page and passing the username/password to the IAP (backend is RADIUS) via a pre-authentication role.  In the absense of having ClearPass, is there any workaround that we can utilize?  Would using the internal captive portal make a difference?

 

Thanks,

John

Search Airheads
Showing results for 
Search instead for 
Did you mean: