Wireless Access

Reply
MVP
Posts: 371
Registered: ‎05-09-2013

Controller + Clearpass session timeout

Hey All, 

 

Need some assistance with an unusual request. Customer is using Controller's captive portal, but they have Clearpass. They cannot use the Guest module of Clearpass due to budget constraints, they could not purchase Guest licensing to accomodate all Guests. 

 

Basically, they want to allow guest users access for 2 hours before forcing them to go through the captive portal again. I am trying to accomplish this in the following way:

 

- Enabled mac auth profile on controller and set Clearpass as server group

- Configured MAC auth service in Clearpass (Allow all mac auth) that sends back session timeout and other enforcements to the controller. I have Time Source and Insight as Authorization Sources.

 

I configured the Session Timeout enforcement to use %{Authorization:[Time Source]:now_plus_2hrs} 

 

I assume that if that would work, the session would timeout in 2 hours and the session would be disconnected based on the expirey action. 

 

I cannot get Time Source or Insight to show up as Authorization Sources in the requests though.

 

Any idea how to get this to work or an easier method?

 

Thanks.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 8,449
Registered: ‎09-08-2010

Re: Controller + Clearpass session timeout

You can just increase the user idle timeout in the captive portal profile. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 371
Registered: ‎05-09-2013

Re: Controller + Clearpass session timeout

I assumed the Idle Timeout was for inactivity on the network, is it not?


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 8,449
Registered: ‎09-08-2010

Re: Controller + Clearpass session timeout

Right. So you want to interrupt a user in the middle of a session when the time is up? 

How many guests are we talking about? Each ClearPass server includes 25 enterprise licenses which can be used for guest. 


Thanks, 
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 371
Registered: ‎05-09-2013

Re: Controller + Clearpass session timeout

Correct, when 2 hours is up, they are disconnected and must go through the captive portal again.

 

Daily they are looking between 200-300 guest users. We have (2) CP-5K appliances, but per the customer they cannot purchase additional licenses right now.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Guru Elite
Posts: 20,985
Registered: ‎03-29-2007

Re: Controller + Clearpass session timeout

The idle-timeout is for removing the user after inactivity, yes.  If you want to put an absolute floor and then a logout, in the successful user role (guest, perhaps), you can enter a value for the reauthentication interval:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Firewall_Roles/User_Roles.htm

 

That will force the user to re-login after that has expired.  If you want the user to be restricted, have clearpass give them the role with the reauthentication interval.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 371
Registered: ‎05-09-2013

Re: Controller + Clearpass session timeout

Great, we will give that a try. Thanks.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: