Security

Reply
Occasional Contributor II

set a session-time-out/ desconection by enforcement

Hello to all

 

I am writing to kindly request a recommendation with a configuration in CPPM.

It is necessary to create a policy to give access to customers through wireless access (Guest Manaer Captive Portal) from Monday to Friday from 9:00 am to 5:00 pm, the action to be taken after 12:40 pm will be a session timeOut or a deauth. I have documented and one of the options is to create a new filter in the "time-source" and call it with a profile in enforcement, but it is not working.

 

Time source filter: imagen attached

 

Enforcement profile: imagen attached

 

Enforcement policies: imagen attached

 

Access tracker “session-timeOut normal”: imagen attached

 

 

Servicies: imagen attached

 

 

Controller configuration AAA: imagen attached

 

 

 

After 12:40 sessions are still active and dissociation does not occur, the idea is that after 12:40 the user has to re-enter the data in the captive portal.


You could give me a recommendation, something I should be omitting. Or maybe another idea to achieve the goal?

Thank you very much beforehand.

 

Thanks

 

Best Regards.

 

 

Re: set a session-time-out/ desconection by enforcement

After viewing your information, it looks like you try to disconnect all users from the network at 12:40pm. I assume that is a test only, because I can't really understand how that time will contribute to users allowed only from 9-5.

 

Then it looks that you created a time-source that calculates the time till 12:40pm in seconds and returns that as the Session-Timeout to your controller.

 

In the access tracker, I see an authentication happening just before 12:40pm (12:39:36 ART), where the timeout is sent (Session-Timeout Normal). It is not really clear what does not work as expected.

 

Can you show the expanded Output tab from the Access-Tracker, where the authentication happens? I could not see what is the outcome of your timesource calculation, which might have an error because epoch is in UTC timezone and you probably need a local timezone [I could not verify the query for your timesource]. Note that the Session-Timeout should be a value in seconds after which the controller will re-authenticate.

 

Also, in your example, if the client is re-authenticating just after 12:40pm, it will be just accepted for another 24h as it is between 9-5 which is in your policy.

 

First step should be to validate that the correct Session Timeout is returned to the controller.

 

Also, it seems to me that some interactive troubleshooting will result in faster resolution, rather than sending screenshots in this forum. You can work with your Aruba partner or Aruba TAC to get such assistance.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: set a session-time-out/ desconection by enforcement

Hello Herman,

thanks for you acotation. thats correct this is a pre-deployment to a customer thats the reason why I´m using 12:10 hrs.

After read your recomendation I realized that the filter doesnt work because there is an alert that says: "failed to get value for attributes"

I attached print screens.

May be there is and error in filter syntax.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: