Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RADIUS session-timeout attribute ignored during MAC auth?

This thread has been viewed 7 times

  • 1.  RADIUS session-timeout attribute ignored during MAC auth?

    Posted Aug 15, 2013 12:39 AM

    Do Mobility controllers not honor RADIUS session-timeout attributes when successfully authenticated via MAC Auth?

     

    First, I authenticate via web auth, and I am returning a RADIUS attribute session-timeout value of 60 seconds. When running the "show user" on my controller, I can see "reauth: 60," and after 60 seconds, my wireless device reauths.

     

    Name: doej, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: Web, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 60, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: employee, role-how: 7, L2-role: clearpass-portal-logon, L3-role: employee
Essid: Organization, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:doej58671ADBC442-199
RadAcct Traffic In 412/107593 Out 355/159220 (0:412/0:0:1:42057,0:355/0:0:2:28148)
Timers: ping_reply 0, spoof reply 0, reauth 277653068
Profiles AAA:Organization-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376519708 (Wed Aug 14 18:35:08 2013)
Core User Born: 1376519706 (Wed Aug 14 18:35:06 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

     

    At this point my wireless device tries to reauth using MAC auth. My RADIUS server returns a session-timeout, but instead, you can see the "show user" command lists the value I originally assigned to my employee role on my controller (700 minutes, where it shows "reauth: 42000" below). Why doesn't it show the session-timeout value I set?

     

    Name: 58671adbc442, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 42000, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: employee, role-how: 7, L2-role: employee, L3-role: employee
Essid: Trinity, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:58671adb58671ADBC442-1CF
RadAcct Traffic In 63/19489 Out 53/11289 (0:63/0:0:0:19489,0:53/0:0:0:11289)
Timers: ping_reply 0, spoof reply 0, reauth 279180852
Profiles AAA:Trinity-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Core User Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5

     

    Running firmware 6.1.3.6-AirGroup on a 3600 Mobility controller

     

    Thanks in advance.


    #3600


  • 2.  RE: RADIUS session-timeout attribute ignored during MAC auth?

    EMPLOYEE
    Posted Aug 15, 2013 05:48 AM

    I would upgrade to ArubaOS 6.3.x or higher to obtain that option during mac auth:

     

    reauth.png



  • 3.  RE: RADIUS session-timeout attribute ignored during MAC auth?

    Posted Aug 15, 2013 09:04 AM

    For whatever reason, I didn't set my MAC Authentication Server Group for my AAA profile - it was set to default. After setting it to my RADIUS server, the attributes are being honored during MAC auth.

     

    However, in the list of servers, underneath the option "Fail Through," I did see my server listed. I suppose that list is only active when Fail Through is checked?

     

    Thanks!