11-24-2015 04:45 PM
Can anyone point me at some information on how the timeouts/reauthentication process works?
We have Windows laptops that are closed (sleep) for a few days and when opened up, show a "Web Authentication is disabled" screen, and they are unable to contact the domain for a login until a reboot.
I've played around a bit with the user-role "Reauthentication interval," the SSID "Station Ageout Time" and the AAA "User Idle Timeout" but I am just changing numbers at random hoping to see some change in behaviour.
I can't find anything that explains what they are, the GUI doesn't give any help on what the numbers mean at all. For example: "User Idle Timeout" - GUI says it is "the User Idle Timeout" and the manual says "The user idle timeout value for this profile."- wow, thanks guys, that really helps! (sarcasm)
I've looked through a few posts that talk about User versus Station, but none talk about interactions between the various numbers and the implications.
Some things imply that I am looking in the wrong spot, like the "Station Ageout Interval" defaults to 30 minutes, so I assume 5 days is probably not a good idea (or even allowed) but I am hoping for some good docs explaining how all the pieces fit together.
3600 Mobility controller with 6.3.1 sw
RADIUS authentication of Domain users through our Windows servers
Solved! Go to Solution.
11-24-2015 04:47 PM
Rule#1 of fight club - don't change any timers
Rule#2 of fight club - see rule #1
What is the exact version of ArubaOS you have? You said 6.3.1, but you are missing the last digit
Are you using 802.1x WPA2-AES to authenticate devices?
Do you have machine authentication enabled on your laptops?
What role do authenticated devices get when machine authentication occurs?
What role do authenticated devices get when machine and user authentication occurs?
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
11-25-2015 08:48 AM
Colin, thanks for the reply. We are running 18.104.22.168 (we have AP-65's in use)
AAA profile has initial role = logon, 802.1x default role = logon, L2 auth Fail through unchecked, user idle timeout not enabled.
802.1x Authentication profile has: enforce machine auth checked, machine default role = "lsd-pc-role" and machine auth default user role = logon.
The 802.1x Authentication Server group points at our Windows Radius Server group with rules for unauthenticated workstations (member of domain workstations), user login of staff and students (member of appropriate group).
The "lsd-pc-role" user role implements firewall policies to prevent dhcp servers (deny UDP 68)
For Windows Domain computers. We use a SSID that has wpa2-aes and 802.1x authentication profile. (domain trust certificate is pushed out via GPO to workstations)
I am struggling to understand if a Group Policy setting on the individual workstations might be controlling this behaviour or something in the controler config is doing it or if it is some kind of inherent problem in Windows.
Any thoughts you have would be appreciated!
11-25-2015 08:50 AM