Wireless Access

Reply
Occasional Contributor II

Deleted guest user is still online

Hi,

probablly we have a design issue.

We have deleted an active guest user (via captive portal), but the guest user is still connected. Is there any way to force a reauthentication, so that deleted users are not able to reauthenticate?

 

Best regards

Re: Deleted guest user is still online

Is it a controlller based deployment? How are the Guest users authenticating (via internal db or Clearpass?). The quickest method is to delete the entry from the user-table :

 

(Aruba) #aaa user delete ?
A.B.C.D                 Match IP address
all                     Delete all users. Can take upto 5 mins if there are 
                        large number of users getting deleted
ap-ip-addr              Match AP IP address
ap-name                 Match AP name
mac                     Match MAC address
name                    Match user name
role                    Match role name

 

 


ACMA, ACMP, ACSA
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: Deleted guest user is still online

Hi,

we have a controller-based enviroment with no Clearpass.

Our goal is, that our secretary can delete guest users via the webui (guest role).

Is there a timeout or re-authenticate value for authenticated guest users?

Re: Deleted guest user is still online

Hi....apologies if this appears 3 times, it won't seem to save the post!

Have a look at your User Idle Timeout under the Captive Portal Authentication  Profile ( Configuration > Security > Authentication > L3 Authentication)

 

If however that is not configured, the Global Timers will come into effect.

 

(WLC) #show aaa timers 

Global User idle timeout = 900 seconds
Auth Server dead time = 5 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds

 


ACMA, ACMP, ACSA
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: Deleted guest user is still online

The User idle timeout wasn't set. Now I set it to 300 Sec.

 

But, I understand it as a timeout feature. So if the deleted guest user is still active then the counter will not increase...

Guru Elite

Re: Deleted guest user is still online

Schinida,

 

The guest user, when deleted, it's role should change to "logon" which would require them to login again.  If they login again, they would be allowed to continue.  If you are using unique usernames for guest and you delete the username that the guest is using, the guest would not be able to login again and continue his/her session.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Deleted guest user is still online

Thanks for the infos. It sounds good, but it is not working correctly.

1. Create an local guest user

USER:adminuser@10.2.2.58 COMMAND:<local-userdb-guest add username "test" password ****** start-time "05/22/2017" "09:53" expiry time "05/22/2017" "17:53"

2. Login to the guest wlan with captive portal and guestuser test

User Authentication Successful: username=test MAC=00:26:b6:f4:c2:5b IP=10.2.30.99 role=guest VLAN=130 AP=AP35 SSID=campus-gast AAA profile=campus-gast-aaa_prof auth method=Web auth server=Internal

3. Surf the web via captive portal and ping internet addresses

4. Delete the user via Webui

USER:adminuser@10.2.2.58 COMMAND:<local-userdb-guest del username "test" > -- command executed successfully

5. Disconnect WLAN on the notebook -> notebook is offline

6. Connect to WLAN guest network again

2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 XXX-WLAN1 stm[1800]: <501100> <NOTI> <XXX-WLAN1 10.2.171.241> Assoc success @ 12:14:17.891347: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501100> <NOTI> |AP AP35@10.2.171.148 stm| Assoc success @ 12:14:17.883057: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501095> <NOTI> |AP AP35@10.2.171.148 stm| Assoc request @ 12:14:17.882277: 00:26:b6:f4:c2:5b (SN 2): AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501093> <NOTI> |AP AP35@10.2.171.148 stm| Auth success: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501109> <NOTI> |AP AP35@10.2.171.148 stm| Auth request: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35 auth_alg 0

7. The guest user can login and will not be prompted for login credentials.

Is this a normal behaviour?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: