Wireless Access

i tried to find the info of session timeout and inactive timeout but yet to have any conclusive answers. I am running on 6.3.X.X firmware

 

i want to achieve the following

1) set inactivity timeout, meaning if the client is idle for 5mins, they will kicked out

2) set session timeout, meaning if the client is connected for 30mins, they will be kicked out

 

can this be done when using captive portal for guest? (only email is required) 

can this be done using 802.1x authentication?

 

I know there is 'User Idle Timeout' and 'Reauthentication Interval' but not sure if there are related to what I want to achieve. 

 

thanks in advance!

User idle timeout would be used for guest users.

 

Session timeout can be used with 802.1X but you'll need a RADIUS server that can return a session timeout and you'll also have to enable RADIUS accounting.

thanks for the reply. can i say that by setting 'User Idle Timeout', it will cater for my inactivity timeout for both captive portal and 802.1x? so what happens when it gets timeout? would the client be disconnected from the ssid? 

 

base on what you said for session timeout, the session timeout is controlled by radius rather than my controller? is there anything i need to set on my controller? does reauthentication interval in aaa play apart? can session timeout be implemented for captive porter? 

rayoflight,

 

If you are running ArubaOS 6.3 and above, for Captive Portal connections, you can use the Captive Portal Authentication Profile "user idle timeout" which overrides the global idle timeout.  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Captive_Portal/Captive_Portal_Authentic.htm

 

"The user idle timeout value for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used."

 

In 802.1x, when the supplicant authenticates users automatically, you do not need to adjust the timeout...

thanks for the reply.

can I say that if idle time out is set, for example I put 30 seconds under captive portal authentication profile, if I do not have activitiy for 30 secs, I will be disconnected from the network? would I be disconnected or I will be required to sign in again? which is correct?

as for 802.1x, be it wpa2 enterprise or psk, is there a way to set the idle timeout?

how about session timeout? anyway to do it? thanks

rayoflight,

 

The reason why the user idle timeout exists is to allow a user who roams out of coverage temporarily or closes his/her laptop to not have to reauthenticate.  With PSK and 802.1x networks this is not an issue.  With captive portal, since the user would have to re-login to the webpage it IS an issue.  By default the idle-timeout gives a captive portal user 5 minutes without having to reauthenticate.  

 

Set the captive portal idle timeout to whatever number you need this to be in seconds, so that your captive portal users can avoid having to login for that period of time when their laptop is closed.

 

thanks for the reply. I get what you mean. but what my user want is different. they want to kick client out if there are idle for 5 mins and each connection is only limits to 30 mins. any solution to it?

By default a user who sends no traffic will be removed after 5 minutes.  

 

You will need an external Radius Server like clearpass to set a session limit of 30 minutes.

 

When the 30 minutes is up, what do you want the user to do?  If you do not want them to be able to login with the same credentials after their session is over, you need an external guest access server like clearpass to remove the account that was created, so that they cannot login again after they are "kicked off" and see the captive portal again.

 

 

thanks for the reply.

by default user sends no data will be removed. this I understand. this means that if user is disconnected right? because when the user is connected and not doing anything there is still some traffic going through right? this won't really meet my requirement of 'kicking' out the user. can it even be done?

actually I do have a clearpass, but my captive portal is not going through the clearpass. its customer's decision. can I use just clearpass to limit the session? meaning not using clearpass as captive portal or radius, just purely for limiting the session.

having said that, can I confirm that limiting the sessions can only be done via clearpass but not doable in controller?

On the controller, in the user role, there is a "Re-authentication Interval" parameter that will force a user to re-authenticate every X interval.  If you make that 30 minutes, a user on a device will be forced to reauthenticate every 30 minutes.  For 802.1x and PSK networks, this is useless.  If you force the user to authenticate after 30 minutes, if their account still exists, they can still login again.  You need clearpass to both expire the user and remove the account.

hey thanks for all the replies. 

 

base on the replies, can i conclude the following?

 

1) when setting 'User Idle Timeout', it will not boot the user although the user is 'idle' for Xmins? that is becasue even if the client is 'idling', there is still some traffic going on? This user idle timeout setting is when the user get disconnected from the network, then after Xmins, it will be removed from the controller. 

 

2) reauthentication interval works for all authentication method just that 802.1x will be 'invisible' to the user. as for captive portal, if lets say the interval is 5mins, after 5mins, the user will need to reauthenticate again, which will be directed to the captive portal again.

 

3) the only way to do session time out is via clearpass

 

1. Correct
2. Reauthentication Interval really only works for Captive Portal. If it is captive portal, and the user has valid credentials, the user can still logon again.
3. Clear pass is the best way to limit sessions by disconnecting users and disabling their accounts. The controller cannot do both of those functions.

Hi,

I got  the similar issue.

 

I have a IAP with setting reauth timer to 0

FreeRadius return session-timer 120s

If I setup Captive portal with using the RADIUS server,  session is stop after 120s

IAP can force the user to reauthenticate by captive portal.

That's okay

 

However, if i set  the employee SSID with WPA2-Enterprise (802.1x)

IAP with setting reauth timer to 0

FreeRadius return session-timer 120s,

I checked the RADIUS records, there is no reauthenticate RADIUS/EAP message come in for a long period of time. I can only see accouting information.

Then I try to set reauth timer to 3 min, then IAP will cause user to send  reauthen after 3 min.

It seems that the IAP only follows the reauth timer setting in IAP GUI  but not the session-timer from RADIUS.

 

May I know if IAP 105 version 6.3 whether support session-timer from Radius for 802.1x authentication ?

 

thank you

 

 

 

i would advise you to start a new thread and not jump on an old one which isnt exactly your issue either.

 

as for your specific sitation i kinda assume that with a captive portal the radius timeout doesnt have an effect on the user setting. even though you authenticate against radius it remains captive portal that allows access.

i see

thanks

 

Can you explain this using CPPM.  I have been looking all over the forms in CPPM to change that for two SSID's.

This thread has multiple topics. What are you looking to do?

I have to SSID's that users use captive portal.  One SSID I want the user to have a time limit of 4 hours and a session timeout longer than five minutes.  With the other SSID I want to give them 12 hours since that is their shift time and also would like to change their session and inactivity timeout time.

Do you have ClearPass?  If yes, I'm going to make this its' own topic and move it to the NAC forum for better visibility.