Wireless Access

Reply
Occasional Contributor II

Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

ArubaOS: 6.1.3.9

 

I've setup an authentication system to use dual authentication: macauth, and captive portal.

This setup works great, however, I have a question about the Radius Attribute Session-Timeout and when it's honoured.


If Macauth is successful, a Session-Timeout value is passed back from Radius, along with an authenticated role.

However, if Macauth is not successful, i'm still accepting the device (Access-Accept), but am returning a logon role (and no Session-Timeout) to get them connected with the Captive Portal.

 

My question is this:  If I decide to return a Session-Timeout when i'm directing a device to the captive portal (let's say 3600 to stop the device from constantly macauthing), does the Session-Timeout returned from Captive Portal authentication override the Macauth Session-Timeout?

 

I notice that when I have this setup enabled, I only ever see Macauth referenced with Session-Timeouts...
I don't see any reference to the Session-Timeout returned by Radius when authenticating via the Captive Portal.

 

 

 

Name: something, IP: 172.25.2.152, MAC: 00:11:22:33:44:55, Role:authenticated, ACL:57/0, Age: 00:02:32
Authentication: Yes, status: started, method: Web, protocol: PAP, server: someserver
Bandwidth contract = 2Mbps (2000000 bits/sec), Per-user
Bandwidth contract = 15Mbps (15000000 bits/sec), Per-user
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wired, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: Wired, reauth: 451140, BW Contract: up:35 down:36, user-how: 9
Vlan default: 307, Assigned: 307, Current: 307 vlan-how: 0 DP assigned vlan:307
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0x1041, Port=0x1041 (1/1)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
    Current Role name: authenticated, role-how: 7, L2-role: logon, L3-role: authenticated
Essid: , Bssid:  AP name/group: 1/1/ Phy-type: Wired
RadAcct sessionID:58B0356158B03561F4F7-29882
RadAcct Traffic In 82994/94929857 Out 44939/16882122 (1:17458/0:0:1448:33729,0:44939/0:0:257:39370)
Timers: ping_reply 0, spoof reply 0, reauth 283094940, mac reauth 0
Profiles AAA:default-mac-auth, dot1x:, mac:default CP: def-role:'logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1374465184 (Sun Jul 21 19:53:04 2013)
Core User Born: 1374465184 (Sun Jul 21 19:53:04 2013)
Upstream AP ID: 0, Downstream AP ID: 0
Device Type: iTunes/11.0.4 (Macintosh; OS X 10.8.4) AppleWebKit/536.30.1
Mac-Auth Session Timeout Value from Radius: 3600

 

 

Re: Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

Do we see have the configuration of attribute been mapped to the radius policy to which the user belongs to  specfic group where user enters the credentials todo  CP authentication against the server? If you are using CPPM, please enable the debugging for radius and look for the hit with regards to "Session-Time out" attributes,

 

We could also enable packet-capture on the controller for the radius port to capture the radius communication what is returned back from radius to controller.

 

# packet-capture udp 1812

 

Once we enable the capture, retest the client one more time and download the logs.tar from the controller; look for the file filter.pcap to review the radius captures.

 

To disable the capture, use below command:-

 

# packet-capture udp disable

 

Thanks!

 

****************************************************************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

 

 

 

Occasional Contributor II

Re: Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

I should mention that I control the radius server.
So I can guarantee that the session timeout attribute is being sent to the controller.

Assuming it is being sent, does it override a previously sent session timeout during macauth?

Re: Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

Yes, if you guarantee session attribute is sent to the controller, then obviosuly this is going to overide the previously sent session timeout during macauth.

 

Thanks !

 

****************************************************************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: