Wireless Access

Hello,

 

I have users in the user table that have been there for hours in an unauthenticated role. Is there a way to disassociate these stations after a certain period? I can't seem to find an appropriate value...

 

I have an 802.1x aaa profile configured with timeout values as follows:

 

Reauthentication Interval: 24 hrs (default)

 

and

 

show aaa timers:

 

User idle timeout = 900 second

auth server dead time = 10 minutes

logon user lifetime = 5 mins

user interim stats frequency = 600 seconds

 

Any ideas?

 

Thanks,

Dave

Hi. After the user idle timeout expires, the controller attempts to contact the client w either an arp or a ping. If it gets a response, it maintains the entry in the user table, regardless of the role. Is it possible that the client is still reachable? Hope this helps. - Jay

Say a users mobile phone connects to an open ssid whilst in their pocket, and they never go through the captive portal login. I assume they would remain in the association table for as long as they're near the AP, right? 

Unfortunately, that's correct. It's particularly problematic if you're using a security schema which grants an IP address before auth (such as captive portal). In that case, it is possible that your DHCP pool will be exhausted by 'accidental' associations. Some relief can be found by hiding the SSID, which will prevent accidental associations by some devices, but it won't prevent all. Hope this helps! - Jay