Wireless Access

New Contributor

Question about session timeout for L3 web auth

Hi All

We're facing an issue whilst trying to use both captive portal and mac auth together.


When the user conencts to the SSID, we trigger a MAC auth request. If the user is known, we let them on, and if not, they get a pcative portal splash page. When they authnticate on the splash page and the controller performs the RADIUS auth to our server, we reply with a Session-Timeout value. We can see the Aruba receives this and applies it.


The problem is that when the Session-Timeout is reached, and the user is removed from the authenticated state, it keeps the user in some L3 web auth "logon" role, and never tries to MAC Auth again. This seems strange, as we would assume once a user is kicked off, any auth method enabled on that SSID should be attempted, so a MAC auth request should be triggered.


Any idea why it does this? We need a way to get the user back online without intervention or another captive portal prompt, if they exceed the original Session-Timeout but are still using the WiFi. Hence we need them to be re-authed by MAC auth.


Strangely, if they reach the "Idle-Timeout" limit we also set, then the controller DOES remove them from the L3 web auth role, and MAC auth is performed. Or, if we issue a CoA disconnect, it removes the L3 web auth role. So, why doesn't Session-Timeout being reached do the same?


So to simplify my question, how can we make users that logged on through the captive portal, be removed from the logon role as soon as the Session-Timeout expires, so a MAC auth is then triggered.



Search Airheads
Showing results for 
Search instead for 
Did you mean: