Wireless Access

Reply
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Session Timeout and Inactive Timeout

i tried to find the info of session timeout and inactive timeout but yet to have any conclusive answers. I am running on 6.3.X.X firmware

 

i want to achieve the following

1) set inactivity timeout, meaning if the client is idle for 5mins, they will kicked out

2) set session timeout, meaning if the client is connected for 30mins, they will be kicked out

 

can this be done when using captive portal for guest? (only email is required) 

can this be done using 802.1x authentication?

 

I know there is 'User Idle Timeout' and 'Reauthentication Interval' but not sure if there are related to what I want to achieve. 

 

thanks in advance!

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Session Timeout and Inactive Timeout

User idle timeout would be used for guest users.

 

Session timeout can be used with 802.1X but you'll need a RADIUS server that can return a session timeout and you'll also have to enable RADIUS accounting.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Session Timeout and Inactive Timeout

thanks for the reply. can i say that by setting 'User Idle Timeout', it will cater for my inactivity timeout for both captive portal and 802.1x? so what happens when it gets timeout? would the client be disconnected from the ssid? 

 

base on what you said for session timeout, the session timeout is controlled by radius rather than my controller? is there anything i need to set on my controller? does reauthentication interval in aaa play apart? can session timeout be implemented for captive porter? 

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Session Timeout and Inactive Timeout

rayoflight,

 

If you are running ArubaOS 6.3 and above, for Captive Portal connections, you can use the Captive Portal Authentication Profile "user idle timeout" which overrides the global idle timeout.  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Captive_Portal/Captive_Portal_Authentic.htm

 

"The user idle timeout value for this profile. Specify the idle timeout value for the client in seconds. Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used."

 

In 802.1x, when the supplicant authenticates users automatically, you do not need to adjust the timeout...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Session Timeout and Inactive Timeout

thanks for the reply.

can I say that if idle time out is set, for example I put 30 seconds under captive portal authentication profile, if I do not have activitiy for 30 secs, I will be disconnected from the network? would I be disconnected or I will be required to sign in again? which is correct?

as for 802.1x, be it wpa2 enterprise or psk, is there a way to set the idle timeout?

how about session timeout? anyway to do it? thanks
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Session Timeout and Inactive Timeout

rayoflight,

 

The reason why the user idle timeout exists is to allow a user who roams out of coverage temporarily or closes his/her laptop to not have to reauthenticate.  With PSK and 802.1x networks this is not an issue.  With captive portal, since the user would have to re-login to the webpage it IS an issue.  By default the idle-timeout gives a captive portal user 5 minutes without having to reauthenticate.  

 

Set the captive portal idle timeout to whatever number you need this to be in seconds, so that your captive portal users can avoid having to login for that period of time when their laptop is closed.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Session Timeout and Inactive Timeout

thanks for the reply. I get what you mean. but what my user want is different. they want to kick client out if there are idle for 5 mins and each connection is only limits to 30 mins. any solution to it?
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Session Timeout and Inactive Timeout

By default a user who sends no traffic will be removed after 5 minutes.  

 

You will need an external Radius Server like clearpass to set a session limit of 30 minutes.

 

When the 30 minutes is up, what do you want the user to do?  If you do not want them to be able to login with the same credentials after their session is over, you need an external guest access server like clearpass to remove the account that was created, so that they cannot login again after they are "kicked off" and see the captive portal again.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 78
Registered: ‎06-03-2014

Re: Session Timeout and Inactive Timeout

thanks for the reply.

by default user sends no data will be removed. this I understand. this means that if user is disconnected right? because when the user is connected and not doing anything there is still some traffic going through right? this won't really meet my requirement of 'kicking' out the user. can it even be done?

actually I do have a clearpass, but my captive portal is not going through the clearpass. its customer's decision. can I use just clearpass to limit the session? meaning not using clearpass as captive portal or radius, just purely for limiting the session.

having said that, can I confirm that limiting the sessions can only be done via clearpass but not doable in controller?
Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: Session Timeout and Inactive Timeout

On the controller, in the user role, there is a "Re-authentication Interval" parameter that will force a user to re-authenticate every X interval.  If you make that 30 minutes, a user on a device will be forced to reauthenticate every 30 minutes.  For 802.1x and PSK networks, this is useless.  If you force the user to authenticate after 30 minutes, if their account still exists, they can still login again.  You need clearpass to both expire the user and remove the account.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: