Security

Reply
Occasional Contributor II
Posts: 48
Registered: ‎05-23-2014

Expired accounts can still access websites.

Greetings,

 

I hope someone can help. 

 

We have Clearpass guest v6.3.1.29787 and were testing the expiry feature.  The expiry type is set to disable and logout, however once the account does expire, the connected account is still able to access websites (not just previously visited / cached ones).

 

The account on guest manager is shown as expired.

 

Anyone come across this before?

 

TIA

 

Gordie 

 

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Expired accounts can still access websites.

Is it an Aruba wireless controller? Do you have RADIUS CoA and accounting enabled?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 48
Registered: ‎05-23-2014

Re: Expired accounts can still access websites.

Hi Tim,

 

Sorry, yes.  We have Aruba iAP 105 AP managed by Airwave.


We do not have CoA or accounting turned on.  We are using the Clearpass appliance as a RADIUS server.

 

TIA

 

G

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Expired accounts can still access websites.

If you want the device to be disconnected immediately when the account expires, you need to turn both those features on in both Instant and CPG

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 48
Registered: ‎05-23-2014

Re: Expired accounts can still access websites.

Cheers Tim,

 

I have checked this setting in CPG, but cant find it on the Instant.  Where about is this setting?

 

TIA

 

G

Guru Elite
Posts: 8,643
Registered: ‎09-08-2010

Re: Expired accounts can still access websites.

CoA (RFC 3576) is found in your authentication server settings.

 

instant-rfc3576.png

 

Accounting is found under the SSIDs security settings.

 

instant-accounting.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 48
Registered: ‎05-23-2014

Re: Expired accounts can still access websites.

Thanks Tim,  appreciate your help.

 

I have made the changes, but its still not logging me off when my session expires.  It has had the side effect of adding data to active sessions :)

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Expired accounts can still access websites.

Did you start a new session with the client and delete the old one ?

 

You may have to remove the client session from the Virtual Controller List and then try again.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: