Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

This thread has been viewed 2 times

  • 1.  Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

    Posted Jul 23, 2013 08:12 PM

    ArubaOS: 6.1.3.9

     

    I've setup an authentication system to use dual authentication: macauth, and captive portal.

    This setup works great, however, I have a question about the Radius Attribute Session-Timeout and when it's honoured.


    If Macauth is successful, a Session-Timeout value is passed back from Radius, along with an authenticated role.

    However, if Macauth is not successful, i'm still accepting the device (Access-Accept), but am returning a logon role (and no Session-Timeout) to get them connected with the Captive Portal.

     

    My question is this:  If I decide to return a Session-Timeout when i'm directing a device to the captive portal (let's say 3600 to stop the device from constantly macauthing), does the Session-Timeout returned from Captive Portal authentication override the Macauth Session-Timeout?

     

    I notice that when I have this setup enabled, I only ever see Macauth referenced with Session-Timeouts...
    I don't see any reference to the Session-Timeout returned by Radius when authenticating via the Captive Portal.

     

     

     

    Name: something, IP: 172.25.2.152, MAC: 00:11:22:33:44:55, Role:authenticated, ACL:57/0, Age: 00:02:32
    Authentication: Yes, status: started, method: Web, protocol: PAP, server: someserver
    Bandwidth contract = 2Mbps (2000000 bits/sec), Per-user
    Bandwidth contract = 15Mbps (15000000 bits/sec), Per-user
    Role Derivation: Aruba VSA
    VLAN Derivation: unknown
    Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
    Mobility state: Wired, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
    Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
    Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
    Auth fails: 0, phy_type: Wired, reauth: 451140, BW Contract: up:35 down:36, user-how: 9
    Vlan default: 307, Assigned: 307, Current: 307 vlan-how: 0 DP assigned vlan:307
    Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
    Tunnel=0, SlotPort=0x1041, Port=0x1041 (1/1)
    Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
        Current Role name: authenticated, role-how: 7, L2-role: logon, L3-role: authenticated
    Essid: , Bssid:  AP name/group: 1/1/ Phy-type: Wired
    RadAcct sessionID:58B0356158B03561F4F7-29882
    RadAcct Traffic In 82994/94929857 Out 44939/16882122 (1:17458/0:0:1448:33729,0:44939/0:0:257:39370)
    Timers: ping_reply 0, spoof reply 0, reauth 283094940, mac reauth 0
    Profiles AAA:default-mac-auth, dot1x:, mac:default CP: def-role:'logon' sip-role:'' via-auth-profile:''
    ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
    IP Born: 1374465184 (Sun Jul 21 19:53:04 2013)
    Core User Born: 1374465184 (Sun Jul 21 19:53:04 2013)
    Upstream AP ID: 0, Downstream AP ID: 0
    Device Type: iTunes/11.0.4 (Macintosh; OS X 10.8.4) AppleWebKit/536.30.1
    Mac-Auth Session Timeout Value from Radius: 3600

     

     


    #3600


  • 2.  RE: Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

    Posted Jul 23, 2013 08:49 PM

    Do we see have the configuration of attribute been mapped to the radius policy to which the user belongs to  specfic group where user enters the credentials todo  CP authentication against the server? If you are using CPPM, please enable the debugging for radius and look for the hit with regards to "Session-Time out" attributes,

     

    We could also enable packet-capture on the controller for the radius port to capture the radius communication what is returned back from radius to controller.

     

    # packet-capture udp 1812

     

    Once we enable the capture, retest the client one more time and download the logs.tar from the controller; look for the file filter.pcap to review the radius captures.

     

    To disable the capture, use below command:-

     

    # packet-capture udp disable

     

    Thanks!

     

    ****************************************************************************
    Aruba Airheads - Powered By community for empower the community
    ************ Don't Forget to Kudos + me,If i helped you******************

     

     

     



  • 3.  RE: Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

    Posted Jul 23, 2013 11:16 PM
    I should mention that I control the radius server.
    So I can guarantee that the session timeout attribute is being sent to the controller.

    Assuming it is being sent, does it override a previously sent session timeout during macauth?


  • 4.  RE: Radius Session-Timeout Honoured When Using Macauth and Captive Portal Authentication

    Posted Jul 24, 2013 06:06 AM

    Yes, if you guarantee session attribute is sent to the controller, then obviosuly this is going to overide the previously sent session timeout during macauth.

     

    Thanks !

     

    ****************************************************************************
    Aruba Airheads - Powered By community for empower the community
    ************ Don't Forget to Kudos + me,If i helped you******************