10-09-2012 12:18 PM
I'm wondering if someone could help me understand the difference between the reauthentication interval parameters in the 802.1x Authentication Profile versus the reauthentication interval setting in the User Role.
My goal is to force the client to reauthenticate every 8 hours on both our open (CP) and 802.1x (EAP-TTLS/PAP, AES) SSIDs.
Currently, I am configuring the reauthentication-interval in the User Roles 'authenticated' and 'authenticated-1x' to 480 minutes. In the 802.1x Authentication Profile 'reauthentication" is not enabled (unchecked in the WebUI). The 'reauthentication Interval' is set to the default 864000 seconds.
However, when looking for 522008 authentication events for a few particular clients recently we noticed that some clients appear to have been camping on 802.1x for two or more days since their last reauthentication. I would have expected to see in the Aruba or RADIUS logs that the client reauthenticated after 8 hours. We don't recall this being an issue prior to 18.104.22.168 but that just may be an oversite.
Any ideas why some clients are seemingly able to evade the 8 hour mandatory reauth interval? For 802.1x, should I enable 'reauthentication' and set the 'reauthentication Interval' to 28800 seconds? Which set of parameters overides the other?
aaa authentication dot1x "UMASS-SECURE"
timer wpa-key-period 3000
Thanks in advance,