Wireless Access

Reply
Occasional Contributor II
Posts: 12
Registered: ‎04-11-2013

Disconnection from the network with reason=logon role lifetime reached

[ Edited ]

Hi,

 

I experience some problems with a controller.

The users are disconnected from the network resources (file sharing, TSE session...) after a certain amount of time. This happen everytime, with any type of devices/manufacturers.

 

Please see the logs in attachments when an user is disconnected.

 

 

The AP broadcast just one SSID, with WPA-PSK authentication nothing more (no custom role, no mac authentication, just a basic setup).

 

Hope you can help me with this problem.

 

Thanks in advance.

 

Edit : I upgraded the controller with the last version (6.1.3.7) nothing changed.

Frequent Contributor II
Posts: 113
Registered: ‎11-27-2012

Re: Disconnection from the network with reason=logon role lifetime reached

The logon user lifetime is described as follows:

 

Logon User Lifetime:

Maximum time, in minutes, unauthenticated clients are allowed to remain
logged on.
Range: 0–255
Default: 5 minutes

 

Have you done any changes to the logon role maybe, so the users stay in that initial role and does no authentication, and are then disconnected when the maximum time is reached?

Can you show us the configuration of the VAP in question?

-----------------------------------
-ACMX #352-
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor II
Posts: 12
Registered: ‎04-11-2013

Re: Disconnection from the network with reason=logon role lifetime reached

[ Edited ]

Thanks for your answer. Please find some information about the VAP and aaa profiles.

I didn't make the installation, but I see nowhere some modification of aaa default settings...

 

 

wlan virtual-ap "PROFILE_SAINT_ROMAIN"
   aaa-profile "default-dot1x-psk"
   ssid-profile "SSID_SAINT_ROMAIN"
   vlan 172
!

 

 

#show aaa timers

User idle timeout = 300 seconds
Auth Server dead time = 10 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 600 seconds

 

#show aaa profile "default-dot1x-psk"

AAA Profile "default-dot1x-psk" (Predefined (editable))
-------------------------------------------------------
Parameter                                          Value
---------                                          -----
Initial role                                       logon
MAC Authentication Profile                         N/A
MAC Authentication Server Group                    default
802.1X Authentication Profile                      default-psk
802.1X Authentication Server Group                 N/A
L2 Authentication Fail Through                     Disabled
RADIUS Accounting Server Group                     N/A
RADIUS Interim Accounting                          Disabled
User derivation rules                              N/A
Wired to Wireless Roaming                          Enabled
Device Type Classification                         Enabled
Enforce DHCP                                       Disabled

#show wlan virtual-ap "PROFILE_SAINT_ROMAIN"       

Virtual AP profile "PROFILE_SAINT_ROMAIN"
-----------------------------------------
Parameter                                           Value
---------                                           -----
Virtual AP enable                                   Enabled
Allowed band                                        all
AAA Profile                                         default-dot1x-psk
802.11K Profile                                     default
SSID Profile                                        SSID_SAINT_ROMAIN
VLAN                                                172
Forward mode                                        tunnel
Deny time range                                     N/A
Mobile IP                                           Enabled
HA Discovery on-association                         Disabled
DoS Prevention                                      Disabled
Station Blacklisting                                Enabled
Blacklist Time                                      3600 sec
Dynamic Multicast Optimization (DMO)                Disabled
Dynamic Multicast Optimization (DMO) Threshold      6
Authentication Failure Blacklist Time               3600 sec
Strict Compliance                                   Disabled
VLAN Mobility                                       Disabled
Preserve Client VLAN                                Disabled
Remote-AP Operation                                 standard
Drop Broadcast and Multicast                        Disabled
Convert Broadcast ARP requests to unicast           Enabled
Disable conversion multicast RA packets to unicast  Disabled
Deny inter user traffic                             Disabled
Band Steering                                       Disabled
Steering Mode                                       prefer-5ghz
WMM Traffic Management Profile                      N/A

Occasional Contributor II
Posts: 12
Registered: ‎04-11-2013

Re: Disconnection from the network with reason=logon role lifetime reached

[ Edited ]

Any idea what it could be ?

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: Disconnection from the network with reason=logon role lifetime reached

Change the initial role in the default-dot1x-psk AAA profile to something else like "authenticated"

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎04-11-2013

Re: Disconnection from the network with reason=logon role lifetime reached

[ Edited ]

It's seem to be working...

I changed to "guest-logon" (I don't have the authenticated profile) and I have no more disconnection. Before that the users couldn't transfer a file larger than 50MB and now we tried with a 3GB file and it's OK....

 

I dont really understand why... What I don't understand either is why some of the user got a L3 role = logon, and others L3 role = guest-logon

 

Hope you can help me.

 

#show user-table ip 192.168.172.192


Name: , IP: 192.168.172.192, MAC: 00:26:82:f7:14:56, Role:guest-logon, ACL:1/0, Age: 00:00:48
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 172, Assigned: 0, Current: 172 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1040, Port=0x10f6 (tunnel 118)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: guest-logon, role-how: 10, L2-role: guest-logon, L3-role: logon
Essid: Hopital Saint Romain, Bssid: d8:c7:c8:0b:29:90 AP name/group: WT.0.2/CH_SAINT_ROMAIN Phy-type: g
RadAcct sessionID:n/a
RadAcct Traffic In 3386969/451011921 Out 2232136/182111465 (51:44633/0:0:6881:58705,34:3912/0:0:2778:52457)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:default-dot1x-psk, dot1x:default-psk, mac: CP: def-role:'guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1365768888 (Fri Apr 12 14:14:48 2013)
Core User Born: 1365767300 (Fri Apr 12 13:48:20 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 192.168.172.192, from DHCP server 192.168.172.254
Device Type: Windows-Update-Agent

 

 

#show user-table ip 192.168.172.188


Name: , IP: 192.168.172.188, MAC: ac:81:12:db:15:04, Role:guest-logon, ACL:6/0, Age: 00:00:05
Authentication: No, status: not started, method: , protocol: , server:
Role Derivation: AAA profile default role
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=0
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g, reauth: 0, BW Contract: up:0 down:0, user-how: 14
Vlan default: 172, Assigned: 0, Current: 172 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1040, Port=0x10b3 (tunnel 51)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: guest-logon, role-how: 10, L2-role: guest-logon, L3-role: guest-logon
Essid: Hopital Saint Romain, Bssid: d8:c7:c8:0b:2b:00 AP name/group: WT.1.3/CH_SAINT_ROMAIN Phy-type: g
RadAcct sessionID:n/a
RadAcct Traffic In 1359/328586 Out 1593/1538224 (0:1359/0:0:5:906,0:1593/0:0:23:30896)
Timers: ping_reply 0, spoof reply 0, reauth 0
Profiles AAA:default-dot1x-psk, dot1x:default-psk, mac: CP: def-role:'guest-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 0, dot1x 1, RADIUS interim accounting 0
IP Born: 1365772286 (Fri Apr 12 15:11:26 2013)
Core User Born: 1365772285 (Fri Apr 12 15:11:25 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 192.168.172.188, from DHCP server 192.168.172.254
Device Type: Windows-RSS-Platform/2.0 (MSIE 8.0; Windows NT 6.1)

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: Disconnection from the network with reason=logon role lifetime reached

Type "show rights" to see what roles you have.  guest-logon might not be the best role.  You can create a role with just the "allowall" acl and then change the initial role to that role.

 

Your change to the AAA profile will only take effect for new users that associate.  If you do a "aaa user delete all" it will make all users reconnect, and they should get the new role.  (this will cause a momentary 1 minute outage for all your users, to decide when you want to do this).

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎04-11-2013

Re: Disconnection from the network with reason=logon role lifetime reached

I tried to create a role with the 'allowall' acl, but I think I don't have the license to do it.

On the GUI, the boutton "Apply" is grayed out and in CLI the "user-role" command is not recognized.

 

That's why I tried with guest-logon. See below the other role I have.

 

#show rights

RoleTable
---------
Name            ACL  Bandwidth                  ACL List                  Type
----            ---  ---------                  --------                  ----
ap-role         4    Up: No Limit,Dn: No Limit                            System
cpbase          14   Up: No Limit,Dn: No Limit  cpbase/                   User
denyall         12   Up: No Limit,Dn: No Limit  denyall/                  User
guest           3    Up: No Limit,Dn: No Limit                            User
guest-logon     6    Up: No Limit,Dn: No Limit                            User
logon           1    Up: No Limit,Dn: No Limit                            User
stateful-dot1x  5    Up: No Limit,Dn: No Limit                            System
sys-ap-role     7    Up: No Limit,Dn: No Limit  sys-control/,sys-ap-acl/  System (not editable)

Guru Elite
Posts: 21,517
Registered: ‎03-29-2007

Re: Disconnection from the network with reason=logon role lifetime reached

Okay.  you don't have the PEFNG license.

 

You should be okay, then..

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 12
Registered: ‎04-11-2013

Re: Disconnection from the network with reason=logon role lifetime reached

Do you have an idea why the logon role doesn't work here ?

Search Airheads
Showing results for 
Search instead for 
Did you mean: