ArubaOS: 6.1.3.9
I've setup an authentication system to use dual authentication: macauth, and captive portal.
This setup works great, however, I have a question about the Radius Attribute Session-Timeout and when it's honoured.
If Macauth is successful, a Session-Timeout value is passed back from Radius, along with an authenticated role.
However, if Macauth is not successful, i'm still accepting the device (Access-Accept), but am returning a logon role (and no Session-Timeout) to get them connected with the Captive Portal.
My question is this: If I decide to return a Session-Timeout when i'm directing a device to the captive portal (let's say 3600 to stop the device from constantly macauthing), does the Session-Timeout returned from Captive Portal authentication override the Macauth Session-Timeout?
I notice that when I have this setup enabled, I only ever see Macauth referenced with Session-Timeouts...
I don't see any reference to the Session-Timeout returned by Radius when authenticating via the Captive Portal.
Name: something, IP: 172.25.2.152, MAC: 00:11:22:33:44:55, Role:authenticated, ACL:57/0, Age: 00:02:32
Authentication: Yes, status: started, method: Web, protocol: PAP, server: someserver
Bandwidth contract = 2Mbps (2000000 bits/sec), Per-user
Bandwidth contract = 15Mbps (15000000 bits/sec), Per-user
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wired, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: Wired, reauth: 451140, BW Contract: up:35 down:36, user-how: 9
Vlan default: 307, Assigned: 307, Current: 307 vlan-how: 0 DP assigned vlan:307
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x1041 (1/1)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: authenticated, role-how: 7, L2-role: logon, L3-role: authenticated
Essid: , Bssid: AP name/group: 1/1/ Phy-type: Wired
RadAcct sessionID:58B0356158B03561F4F7-29882
RadAcct Traffic In 82994/94929857 Out 44939/16882122 (1:17458/0:0:1448:33729,0:44939/0:0:257:39370)
Timers: ping_reply 0, spoof reply 0, reauth 283094940, mac reauth 0
Profiles AAA:default-mac-auth, dot1x:, mac:default CP: def-role:'logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1374465184 (Sun Jul 21 19:53:04 2013)
Core User Born: 1374465184 (Sun Jul 21 19:53:04 2013)
Upstream AP ID: 0, Downstream AP ID: 0
Device Type: iTunes/11.0.4 (Macintosh; OS X 10.8.4) AppleWebKit/536.30.1
Mac-Auth Session Timeout Value from Radius: 3600
#3600