Security

Reply
Contributor II
Posts: 66
Registered: ‎01-25-2013

need to authenticate again after about 40 minutes

Hi,

 

i remarked that an authenticated (by Clearpass) endpoint (let's say an iphone) looses it's authentication role after some time (i noted 40 minutes now).  I see on the controller it now only has an initial logon role, which caused ofcourse Clearpass to reject (if we just ask an app like twitter for example to update it's feed) as we did not re-authenticate  I still see the endpoint age at 40 mins at the controller, so the entry has not dissappeared from the controller.  It's just the role which has changed.  If we re-authenticate all's fine ofcourse.  Is there a timeout value somewhere at the controller level?  

Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: need to authenticate again after about 40 minutes

In the user role, there is a "reauthentication interval" parameter.  See if that has anything.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 66
Registered: ‎01-25-2013

Re: need to authenticate again after about 40 minutes

It's currently set to 0.  Any recommendation?

Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: need to authenticate again after about 40 minutes

Yes.  Turn on user debugging.  When the problems happens, look at the log to see why the user changed roles:

 

config t
logging level debugging user

 After the problem happens, type "show log user all" to see why the user disconnected.  That is the most definitive way to find out what is happening.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 48
Registered: ‎03-16-2014

Re: need to authenticate again after about 40 minutes

[ Edited ]

Change the re authentication parameter to be something you want and use the debug to see whatis happening

Islam Zidan │ Professional Services Engineer | ACCP,ACMP,CWDP,CWNA,CCNP,MCITP,Competia A+
If you Found My Post Helping you kindly Give KUDOS and if it solved your question Kindly hit Accept as a solution box.
Contributor II
Posts: 66
Registered: ‎01-25-2013

Re: need to authenticate again after about 40 minutes

Have enabled the user debugging :

 

Jul 2 10:01:00 2014 TEST-BE-002 authmgr[1655]: <522038> <INFO> <TEST-BE-002 172.16.101.252> username=xyz MAC=90:b9:31:34:99:99 IP=172.16.103.110 Authentication result=Authentication Successful method=radius-accounting server=TEST-BE-003
Jul 2 10:04:16 2014 TEST-BE-002 stm[1666]: <501102> <NOTI> <TEST-BE-002 172.16.101.252> Disassoc from sta: 90:b9:31:34:99:99: AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Reason STA has left and is disassociated
Jul 2 10:04:16 2014 172.16.212.89 stm[1145]: <501102> <NOTI> |AP AP105-100@172.16.212.89 stm| Disassoc from sta: 90:b9:31:34:99:99: AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Reason STA has left and is disassociated
Jul 2 10:04:16 2014 TEST-BE-002 authmgr[1986]: <522036> <INFO> <TEST-BE-002 172.16.101.252> MAC=90:b9:31:34:99:99 Station DN: BSSID=18:64:72:69:4f:3b ESSID=test-guests-test VLAN=102 AP-name=AP105-100
Jul 2 10:04:33 2014 172.16.212.89 stm[1145]: <501106> <NOTI> |AP AP105-100@172.16.212.89 stm| Deauth to sta: 90:b9:31:34:99:99: Ageout AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 handle_sapcp
Jul 2 10:04:33 2014 172.16.212.89 stm[1145]: <501080> <NOTI> |AP AP105-100@172.16.212.89 stm| Deauth to sta: 90:b9:31:34:99:99: Ageout AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Sapcp Ageout (internal ageout)
Jul 2 10:04:33 2014 TEST-BE-002 stm[1666]: <501114> <NOTI> <TEST-BE-002 172.16.101.252> Deauth from sta: 90:b9:31:34:99:99: AP 172.16.212.89-18:64:72:69:4f:3b-AP105-100 Reason 255
Jul 2 10:04:33 2014 TEST-BE-002 stm[1666]: <501044> <NOTI> <TEST-BE-002 172.16.101.252> Station 90:b9:31:34:99:99: No authentication found trying to de-authenticate to BSSID 18:64:72:69:4f:3b on AP AP105-100
Jul 2 10:06:02 2014 TEST-BE-002 authmgr[1655]: <522038> <INFO> <TEST-BE-002 172.16.101.252> username=xyz MAC=90:b9:31:34:99:99 IP=172.16.103.110 Authentication result=Authentication Successful method=radius-accounting server=TEST-BE-003
Jul 2 10:09:16 2014 TEST-BE-002 authmgr[1655]: <522005> <INFO> <TEST-BE-002 172.16.101.252> MAC=90:b9:31:34:99:99 IP=172.16.103.110 User entry deleted: reason=user request
Jul 2 10:09:16 2014 TEST-BE-002 mdns[1788]: <527004> <INFO> <TEST-BE-002 172.16.101.252> mdns_parse_auth_useridle_message 195 Auth User Idle Timeout: MAC:90:b9:31:34:99:99, WIRED:0, FW:0, VLAN:102, IP:172.16.103.110, BSSID:18:64:72:69:4f:3b, AGE:9852,

 

-> here we see the role has changed


Jul 2 10:09:16 2014 TEST-BE-002 authmgr[1655]: <522050> <INFO> <TEST-BE-002 172.16.101.252> MAC=90:b9:31:34:99:99,IP=N/A User data downloaded to datapath, new Role=test-hq-guests-logon/70, bw Contract=0/0, reason=Station resetting role, idle-timeout=300

 

So from above i'm seeing the role change due to a user request, which is here probably the same as an idle timeout?  So the age is 9852 which is 164 minutes.  From above i'm learning that every 300 seconds there is a reauthentication.  I'm however not clear why the reauthentication stops at 10:09.  I see last successfull authentication was at 10:06:02.  At 10:09:16 no 300 seconds have passed...  Meaning... it's not a timeout.  What is "reason=user request".  The endpoint device itself which gave up?  It's an iphone btw.  Which i haven't touched since i authenticated this morning...

Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: need to authenticate again after about 40 minutes

Is this a captive portal network?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 66
Registered: ‎01-25-2013

Re: need to authenticate again after about 40 minutes

yes, it is.

Guru Elite
Posts: 21,007
Registered: ‎03-29-2007

Re: need to authenticate again after about 40 minutes

If the user has no activity for 300 seconds, they will be required to login again. There is a captive portal idle timeout on the AAA profile that can extend this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 61
Registered: ‎07-01-2013

Re: need to authenticate again after about 40 minutes

[ Edited ]

This response was posted accidentally. Please disregard!

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Search Airheads
Showing results for 
Search instead for 
Did you mean: