Security

Can anyone point me at some information on how the timeouts/reauthentication process works?

 

We have Windows laptops that are closed (sleep) for a few days and when opened up, show a "Web Authentication is disabled" screen, and they are unable to contact the domain for a login until a reboot.

 

I've played around a bit with the user-role "Reauthentication interval," the SSID "Station Ageout Time" and the AAA "User Idle Timeout" but I am just changing numbers at random hoping to see some change in behaviour.

 

I can't find anything that explains what they are, the GUI doesn't give any help on what the numbers mean at all. For example: "User Idle Timeout" - GUI says it is "the User Idle Timeout" and the manual says "The user idle timeout value for this profile."- wow, thanks guys, that really helps! (sarcasm)

 

I've looked through a few posts that talk about User versus Station, but none talk about interactions between the various numbers and the implications.

 

Some things imply that I am looking in the wrong spot, like the "Station Ageout Interval" defaults to 30 minutes, so I assume 5 days is probably not a good idea (or even allowed) but I am hoping for some good docs explaining how all the pieces fit together.

 

We have:

3600 Mobility controller with 6.3.1 sw

RADIUS authentication of Domain users through our Windows servers

Rule#1 of fight club - don't change any timers

Rule#2 of fight club - see rule #1

 

What is the exact version of ArubaOS you have?  You said 6.3.1, but you are missing the last digit

Are you using 802.1x WPA2-AES to authenticate devices?

Do you have machine authentication enabled on your laptops?

What role do authenticated devices get when machine authentication occurs?

What role do authenticated devices get when machine and user authentication occurs?

 

Colin, thanks for the reply. We are running 6.3.1.18 (we have AP-65's in use)

 

AAA profile has initial role = logon, 802.1x default role = logon, L2 auth Fail through unchecked, user idle timeout not enabled.

 

802.1x Authentication profile has: enforce machine auth checked, machine default role = "lsd-pc-role" and machine auth default user role = logon.

 

The 802.1x Authentication Server group points at our Windows Radius Server group with rules for unauthenticated workstations (member of domain workstations), user login of staff and students (member of appropriate group).

 

The "lsd-pc-role" user role implements firewall policies to prevent dhcp servers (deny UDP 68)

 

For Windows Domain computers. We use a SSID that has wpa2-aes and 802.1x authentication profile. (domain trust certificate is pushed out via GPO to workstations)

 

I am struggling to understand if a Group Policy setting on the individual workstations might be controlling this behaviour or something in the controler config is doing it or if it is some kind of inherent problem in Windows.

 

Any thoughts you have would be appreciated!

Mark

 

 

802.1x default role should be authenticated or a production role, instead of logon. That is why you were getting the captive portal.

Thanks for the info, I will change it and give it a try!