Wireless Access

Just started managing a new customer's site, and they have a 620 running the wireless.

Customer has requested that 2 of the 3 profiles/accounts used to access (One is Corp, Other is Guest and then Tenant) allow the end user to keep the ability to leave the network and return to the site without having to sign back in or authenitcate.

 

Being new to the Aruba, any help would be greatly appreciated.

 

Thanks

What type of authentication are they using?

 

Appears to be AAA, with a 802.1X.

802.1x meaning WPA/2-PSK?   How do they connect?  The supplicant on the device, after waking up, should try to reconnect them, typically.

 

Should be just the WPA/s-PSK. Kind of stunmbling around the Aruba, as I am more fluent with Cisco.

 

If the users are using a single preshared key to connect, when they come back to their devices, they should attempt to connect back to the network by themselves.

 

What exactly is happening?

 

Yeah, the customer has a preshared key used by guests.

When the device sits idle and/or leaves the network, they are prompted to re-enter the key.

 

Customer wants the timeout/return to be around 7 days.

 

 

What devices are those? It should just reconnect. The controller cannot force a prompt for a PSK. It is the supplicant on the device that would do that.

Thinkind it is Apple related.

 

Being told that it is all devices.

Laptops once they go to sleep are prompting the visiting users to re-enter the pre-shared key.

 

Please open a case so someone cab work with you on this. It does not seem typical.

Even if there is no current maintenance contract?

 

Well, that would not be an option, then.

 

We can try to troubleshoot it here, but coordination to figure out what is going on could be very painful and time consuming.

 

Possibly just a bug in the current running version on the equipment?

Partiion 0 is 5.0.2.0

Partition 1 is 5.0.4.3

 

I will let others chime in.  I have never seen that.

 

It does not happen to 1 of the 3 built profiles.

I do believe it was configured that way, as I am sure of the mindset of the Engineer that set them up intialy.

 

How many wireless networks are being broadcast?

 

3

 

What kind of authentication and encryption is in play for those other two networks?

They should all be the same.

Only difference is assigned IPs and preshared Key.

 

---

@kmcintosh78 wrote:

They should all be the same.

Only difference is assigned IPs and preshared Key.

 

---

What role does the users who have the problem get?

 

Not really sure of the question.

There are basically 3 networks being broadcast.

Corp

Guest

Tenant.

 

All are on there own Pre-shared Key. Authentication and Encryption is the same thoughout I believe.

Main difference is that the Corp network gets an internal IP in the 10.x.x.x network and does not get prompted to re-enter the Pre-shared key once the device either sleeps and/or leaves the network and returns.

 

The Guest and Tenant networks are getting prompted to re-enter the pre-shared key every time the device sleeps or leaves the network. Almost just a timeout setting. IPs I believe are in the 192.168.x.x network.

I have never seen a pre-shared key be automatically "forgotten" unless they didn't check the little button that says "remember this network" or something like that (assuming these are Macs).

 

If you enter the key correctly and check that box, when the device comes out of sleep or standy or boots fresh, it will automatically reconnect without needing to do anything.

 

This all assumes a preshared key network.  If they are hitting a web page (captive portal), that's a whole different issue.

 

Go to the GUI and click on Configuration > AP Configuration > <appropriate AP group name> > Virtual APs > SSID Profiles > Guest or Tentant.

 

What is the authentication?

Ok, I do believe it is a captive portal.

Again, I am new to the Aruba Controllers. AP as a whole. More Route/Switch/Firewall, not wireless.

 

Let me check it.

 

Yep, I was incorrect.

The Guest and Tenant is set for Captive Portal.

 

So, how do I change these requirements, if possible?

 

There is an idle timeout under Configuration > Authentication > Advanced, but it can only be set up to 255 minutes.

 

If you want to make that time longer, you will have to do some type of MAC caching using a RADIUS server.  Aruba sells ClearPass Policy Manager that can accomplish this.

It is currently set at 300 seconds, it also has the ability to go from seconds to minutes.

 

 

It is for the "Authentication Timers" "User Idle Timeout"

 

"Authentication Server Dead Time" is set for 10 minutes.

User Idle Timeout is the setting you want.  You can set it to seconds or minutes, but the most is 255 minutes (15300 seconds).

Got it. Thanks so much guys.