Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Controller + Clearpass session timeout

This thread has been viewed 16 times

  • 1.  Controller + Clearpass session timeout

    MVP
    Posted Oct 07, 2015 02:27 PM

    Hey All, 

     

    Need some assistance with an unusual request. Customer is using Controller's captive portal, but they have Clearpass. They cannot use the Guest module of Clearpass due to budget constraints, they could not purchase Guest licensing to accomodate all Guests. 

     

    Basically, they want to allow guest users access for 2 hours before forcing them to go through the captive portal again. I am trying to accomplish this in the following way:

     

    - Enabled mac auth profile on controller and set Clearpass as server group

    - Configured MAC auth service in Clearpass (Allow all mac auth) that sends back session timeout and other enforcements to the controller. I have Time Source and Insight as Authorization Sources.

     

    I configured the Session Timeout enforcement to use %{Authorization:[Time Source]:now_plus_2hrs} 

     

    I assume that if that would work, the session would timeout in 2 hours and the session would be disconnected based on the expirey action. 

     

    I cannot get Time Source or Insight to show up as Authorization Sources in the requests though.

     

    Any idea how to get this to work or an easier method?

     

    Thanks.



  • 2.  RE: Controller + Clearpass session timeout

    EMPLOYEE
    Posted Oct 07, 2015 02:35 PM
    You can just increase the user idle timeout in the captive portal profile. 


    Thanks, 
    Tim


  • 3.  RE: Controller + Clearpass session timeout

    MVP
    Posted Oct 07, 2015 02:37 PM

    I assumed the Idle Timeout was for inactivity on the network, is it not?



  • 4.  RE: Controller + Clearpass session timeout

    EMPLOYEE
    Posted Oct 07, 2015 02:40 PM
    Right. So you want to interrupt a user in the middle of a session when the time is up? 

    How many guests are we talking about? Each ClearPass server includes 25 enterprise licenses which can be used for guest. 


    Thanks, 
    Tim


  • 5.  RE: Controller + Clearpass session timeout

    MVP
    Posted Oct 07, 2015 02:41 PM

    Correct, when 2 hours is up, they are disconnected and must go through the captive portal again.

     

    Daily they are looking between 200-300 guest users. We have (2) CP-5K appliances, but per the customer they cannot purchase additional licenses right now.



  • 6.  RE: Controller + Clearpass session timeout

    EMPLOYEE
    Posted Oct 07, 2015 02:41 PM

    The idle-timeout is for removing the user after inactivity, yes.  If you want to put an absolute floor and then a logout, in the successful user role (guest, perhaps), you can enter a value for the reauthentication interval:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Roles/User_Roles.htm

     

    That will force the user to re-login after that has expired.  If you want the user to be restricted, have clearpass give them the role with the reauthentication interval.

     



  • 7.  RE: Controller + Clearpass session timeout

    MVP
    Posted Oct 07, 2015 02:49 PM

    Great, we will give that a try. Thanks.