Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Help needed! idle timeout on ClearPass

This thread has been viewed 16 times

  • 1.  Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 11:56 AM

    does anyone know how to configure guest user idle timeout on ClearPass 6.5.5.78974 (CP-HW-5K platform).?



  • 2.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 12:04 PM
    For the Guest Module Management ?


  • 3.  RE: Help needed! idle timeout on ClearPass

    EMPLOYEE
    Posted Mar 24, 2016 12:34 PM
    Can you provide some more detail on what timeout you're referring to?


  • 4.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 01:39 PM

    Tim,

    Guest users have to re-authenticate after a short period of time (5mins).  Guest users authenticate throught a portal page and accounts are set to expire at 1 day



  • 5.  RE: Help needed! idle timeout on ClearPass

    EMPLOYEE
    Posted Mar 24, 2016 01:45 PM

    You would typically use the mac-caching functionality to achieve that.

     

    Otherwise you can override the global timeout in the captive portal profile on the controller and set it to something appropriate.



  • 6.  RE: Help needed! idle timeout on ClearPass

    EMPLOYEE
    Posted Mar 24, 2016 01:53 PM
    Do you have MAC-caching configured?


  • 7.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 02:21 PM

    Mac-caching is configured, but I don't see anything about idle timeout and session time out



  • 8.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 02:27 PM

    When the client initially connects to the SSID, they will fall into the initial Role and hit the captive portal. On successfull CP auth, the uses MAC address will be cached on the Clearpass server and when the next time the users try to connect to the SSID, they will pass MAC auth and will fall into the mac-auth default role. 

     

    Is MAC authenticated configured for the Guest SSID?

    What is the MAC auth default role?

     



  • 9.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 02:38 PM

    @skrishnamoorthy, would guest authentication for SSID be configured on controller or CP?  I do not have access to the controllers, they are managed by another team.  Can you tell me where to check MAC default role?

     



  • 10.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 02:50 PM

    John,

     

    When the client connects to the wireless, they will fall into the initial role (user-role) which is configured on the controller. The user-role on the controller will have captive portal ACL's & captive portal profile which will redirect them to the clearpass guest login page. User sends the user name and password for the captive portal to the controller which is forwarded to the clearpass for authentication. Once authenticated, the client will fall into a different user-role on the controller(post-auth) which will allow the clients to get to the internet.

     

    Answering your questions:

    For guest authentication, we need to Profiles, policies and services needs to be created on both clearpass and controller. 

    You can view the mac-default role by checking the aaa profile on the controller.

    #show aaa profile <profile name>

     



  • 11.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 03:00 PM

    skrishnamoorthy,

     

    Thank you for info, I will have to get configs for controllers to better troubleshoot this.



  • 12.  RE: Help needed! idle timeout on ClearPass



  • 13.  RE: Help needed! idle timeout on ClearPass

    Posted Mar 24, 2016 02:23 PM

    Michael,

     

    Does controllers handle session timeout and idle timeout even when users authenticate using CPPM & Radius?