Security

Hi,

 

i remarked that an authenticated (by Clearpass) endpoint (let's say an iphone) looses it's authentication role after some time (i noted 40 minutes now).  I see on the controller it now only has an initial logon role, which caused ofcourse Clearpass to reject (if we just ask an app like twitter for example to update it's feed) as we did not re-authenticate  I still see the endpoint age at 40 mins at the controller, so the entry has not dissappeared from the controller.  It's just the role which has changed.  If we re-authenticate all's fine ofcourse.  Is there a timeout value somewhere at the controller level?  

In the user role, there is a "reauthentication interval" parameter.  See if that has anything.

 

It's currently set to 0.  Any recommendation?

Yes.  Turn on user debugging.  When the problems happens, look at the log to see why the user changed roles:

 

config t
logging level debugging user

 After the problem happens, type "show log user all" to see why the user disconnected.  That is the most definitive way to find out what is happening.

 

Change the re authentication parameter to be something you want and use the debug to see whatis happening

Have enabled the user debugging :

 

Jul 2 10:01:00 2014 TEST-BE-002 authmgr[1655]: <522038> <INFO> <TEST-BE-002 172.16.101.252> username=xyz MAC=90:b9:31:34:99:99 IP=172.16.103.110 Authentication result=Authentication Successful method=radius-accounting server=TEST-BE-003
Jul 2 10:04:16 2014 TEST-BE-002 stm[1666]: <501102> <NOTI> <TEST-BE-002 172.16.101.252> Disassoc from sta: 90:b9:31:34:99:99: AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Reason STA has left and is disassociated
Jul 2 10:04:16 2014 172.16.212.89 stm[1145]: <501102> <NOTI> |AP AP105-100@172.16.212.89 stm| Disassoc from sta: 90:b9:31:34:99:99: AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Reason STA has left and is disassociated
Jul 2 10:04:16 2014 TEST-BE-002 authmgr[1986]: <522036> <INFO> <TEST-BE-002 172.16.101.252> MAC=90:b9:31:34:99:99 Station DN: BSSID=18:64:72:69:4f:3b ESSID=test-guests-test VLAN=102 AP-name=AP105-100
Jul 2 10:04:33 2014 172.16.212.89 stm[1145]: <501106> <NOTI> |AP AP105-100@172.16.212.89 stm| Deauth to sta: 90:b9:31:34:99:99: Ageout AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 handle_sapcp
Jul 2 10:04:33 2014 172.16.212.89 stm[1145]: <501080> <NOTI> |AP AP105-100@172.16.212.89 stm| Deauth to sta: 90:b9:31:34:99:99: Ageout AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Sapcp Ageout (internal ageout)
Jul 2 10:04:33 2014 TEST-BE-002 stm[1666]: <501114> <NOTI> <TEST-BE-002 172.16.101.252> Deauth from sta: 90:b9:31:34:99:99: AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Reason 255
Jul 2 10:04:33 2014 TEST-BE-002 stm[1666]: <501044> <NOTI> <TEST-BE-002 172.16.101.252> Station 90:b9:31:34:99:99: No authentication found trying to de-authenticate to BSSID 18:64:72:69:4f:3b on AP AP105-100
Jul 2 10:06:02 2014 TEST-BE-002 authmgr[1655]: <522038> <INFO> <TEST-BE-002 172.16.101.252> username=xyz MAC=90:b9:31:34:99:99 IP=172.16.103.110 Authentication result=Authentication Successful method=radius-accounting server=TEST-BE-003
Jul 2 10:09:16 2014 TEST-BE-002 authmgr[1655]: <522005> <INFO> <TEST-BE-002 172.16.101.252> MAC=90:b9:31:34:99:99 IP=172.16.103.110 User entry deleted: reason=user request
Jul 2 10:09:16 2014 TEST-BE-002 mdns[1788]: <527004> <INFO> <TEST-BE-002 172.16.101.252> mdns_parse_auth_useridle_message 195 Auth User Idle Timeout: MAC:90:b9:31:34:99:99, WIRED:0, FW:0, VLAN:102, IP:172.16.103.110, BSSID:18:64:72:69:4f:3b, AGE:9852,

 

-> here we see the role has changed

Jul 2 10:09:16 2014 TEST-BE-002 authmgr[1655]: <522050> <INFO> <TEST-BE-002 172.16.101.252> MAC=90:b9:31:34:99:99,IP=N/A User data downloaded to datapath, new Role=test-hq-guests-logon/70, bw Contract=0/0, reason=Station resetting role, idle-timeout=300

 

So from above i'm seeing the role change due to a user request, which is here probably the same as an idle timeout?  So the age is 9852 which is 164 minutes.  From above i'm learning that every 300 seconds there is a reauthentication.  I'm however not clear why the reauthentication stops at 10:09.  I see last successfull authentication was at 10:06:02.  At 10:09:16 no 300 seconds have passed...  Meaning... it's not a timeout.  What is "reason=user request".  The endpoint device itself which gave up?  It's an iphone btw.  Which i haven't touched since i authenticated this morning...

Is this a captive portal network?

 

yes, it is.

If the user has no activity for 300 seconds, they will be required to login again. There is a captive portal idle timeout on the AAA profile that can extend this.

This response was posted accidentally. Please disregard!