Question : Why are wireless clients connected to a captive portal SSID not getting an IP if they disconnect and re-connect in quick succession?
Environment Information : Any Aruba OSAny Aruba APAny Aruba Controller
Symptoms : Working wireless clients unable to get an IP if they disconnect and reconnect to wireless. If we clear the user entry using "aaa user delete mac <user-mac>", the user will be able to connect and get an IP address fine.
We keep the L3 entry (user-table) of the user until the expiry of the timer "User Idle-Timeout". This is 5 minutes by default. Hence if an authenticated captive-portal user disconnects from wireless and quickly reconnects within 5 minutes (say) then the user is punted to the post-auth role on the Controller. If post-auth role is restrictive enough then we can potentially block DHCP and hence prevent user from getting an IP address.
If a captive portal authenticated user disconnects from the wireless and reconnects within the "user idle-timeout" period (default 5 minutes), then the will be pushed directly to post-authentication role on the Controller. However the user will still need to either renew its IP address or get a new IP address from DHCP. This user attempt to acquire a new IP or renew its IP address, will fail if DHCP is blocked in the post-authenticated role. Hence we can resolve this issue by allowing DHCP on the post-authenticated role.
For the duration of idle-user timeout (default is 5mins), we remember the user IP (L3) entry for authenticated users on the Controller. This is especially useful for captive portal authenticated users that re-connect to the wireless within a short time so that they do not need to re-authenticated at the captive portal page again. If an authenticated user disconnects from wireless and reconnects within the configured "user idle-timeout" then we will pushed the user directly to post-authentication role. Now, since the user disconnected from wireless and re-connected, it will try to do a “DHCP DISCOVER”. We hence need to allow “DHCP” on the post-authenticated role to allow user to get an IP address this time. For Example: Consider a user in post-authenticated role "webaccess". Configuration before change:
Hi We have 7220 Wireless controller and 697AP's, Users keeps re-authenticating after a sort of time. I actually tried configuring AAA profile User-Idle timeout to 15300 secs and even the global settings but users experiencing a disconnection reportedly even playing games and active for 30 minutes.
Any suggestions on this?
Phil-Data Business Systems Inc.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.