Security

Reply
Regular Contributor I

reauthenticaion interval: AAA auth profile vs. User Role

Hi all,

 

I'm wondering if someone could help me understand the difference between the reauthentication interval parameters in the 802.1x Authentication Profile versus the reauthentication interval setting in the User Role.

 

My goal is to force the client to reauthenticate every 8 hours on both our open (CP) and 802.1x (EAP-TTLS/PAP, AES) SSIDs.

 

Currently, I am configuring the reauthentication-interval in the User Roles 'authenticated' and 'authenticated-1x' to 480 minutes. In the 802.1x Authentication Profile 'reauthentication" is not enabled (unchecked in the WebUI). The 'reauthentication Interval' is set to the default 864000 seconds.

 

However, when looking for 522008 authentication events for a few particular clients recently we noticed that some clients appear to have been camping on 802.1x for two or more days since their last reauthentication. I would have expected to see in the Aruba or RADIUS logs that the client reauthenticated after 8 hours. We don't recall this being an issue prior to 6.1.3.2 but that just may be an oversite.

 

Any ideas why some clients are seemingly able to evade the 8 hour mandatory reauth interval? For 802.1x, should I enable 'reauthentication' and set the 'reauthentication Interval' to 28800 seconds? Which set of parameters overides the other?

 

user-role authenticated-802.1x
 reauthentication-interval 480
<snip>

!

aaa authentication dot1x "UMASS-SECURE"
   wep-key-retries 3
   timer wpa-key-period 3000
   no opp-key-caching
   validate-pmkid                                 
!

 

Thanks in advance,

Mike

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: