Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

user cannot disconnect from SSID after CP authentication

This thread has been viewed 15 times
  • 1.  user cannot disconnect from SSID after CP authentication

    Posted 23 days ago

    Hello,

     

    I'm setting up a captive portal SSID for visitors on a new aruba controller environment, which consists of a MM/VA and 2 physical 7205 controllers, running arubaOS 8.9.0.0. The captive portal is located on a CPPM cluster and is currently working fine for our legacy IAP cluster (being transitionned to the new arubaOS cluster).

     

    But I'm facing a big issue. Once the guest has been registered onto the CP, when I switch OFF and ON the wifi on the wireless mobile, the device is not disconnected and swapped onto the visitor VLAN. In fact the MAC authentication service is never triggered from CPPM. Instead the CP slash page keeps recurring asking for the same visitor information.

     

    I figured out this is due to the guest association with the SSID which is NOT cleared, and last 10mn before going away.

    If I disconnect manually the guest on the monitoring controller, it reconnects to the visitor VLAN correctly.

    So the issue seems to be related to guest sticky association to the SSID, not immediately cleared after the disconnection and reconnection.

     

    Question : So within the tons of parameters available in these controllers, is there a way to modify this behaviour, to make it compliant with the IAP?

     

    Extra question : The « disconnection » should normally be triggered by a ClearPass policy   via a Radius CoA/Disconnect, but it is either not sent by CPPM, or NOT received by the controllers. How to troubleshoot this?

     

    Any hints or suggestion is welcome.

     

    Thanks in advance

    Ray



    ------------------------------
    Raymond Papaux
    ------------------------------


  • 2.  RE: user cannot disconnect from SSID after CP authentication

    Posted 22 days ago
    Please share the service.

    ------------------------------
    Ratchapas Shatsa-Nga
    https://www.facebook.com/Aruba-News-Update-1401095559960142
    ------------------------------



  • 3.  RE: user cannot disconnect from SSID after CP authentication

    Posted 22 days ago
    Few things:
    - It's strongly deprecated to switch VLANs in a guest scenario. Use role switches instead, but in the same VLAN. VLAN switching requires the device to do a DHCP and not all devices support that properly.
    - It's strongly recommended to use 'Controller Initiated' when using Aruba WLAN (Instant or controller based); use Server initiated only in cases where there is no other alternative, like on wired or non Aruba. Controller Initiated works much more reliable and more smooth for the end-user. Yes, it requires a certificate on the controller/IAP, but the experience is just much better and with even one troubleshooting issue you get a return on your investment in a certificate.

    Are you using Controller initiated?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: user cannot disconnect from SSID after CP authentication

    Posted 22 days ago

    Thanks for these pertinent recommendations.

     

    I forgot to mention that, aside of IAPs we also have a legacy HP UWWL (ComWare) wireless system. This is the reason why we use "Server Initiated" CoA/Disconnect.

    So during the migration period (about 1 year) the guest portal must work with 3 different systems (UWWL, IAP and controllers).

     

    We are also using an isolated VLAN for Internet Access (so no access to internal devices such as CP portal). This VLAN is shared between guests and some other IoT devices which use Cloud Management exclusively.

     

    As I mentioned earlier the CP is working fine with 2 technologies, so I don't understand why it should not work with ArubaOS controllers.

     

    The real issue is these sticky guest clients which cannot be disconnected when you switch the WiFi OFF on the client devices.

    Is there a way to suppress he association delay (roughly 5-10mn) so that the AP behave just like current IAPs?

    If I can do that it will work.

     

    Best Regards

    Ray

     






  • 5.  RE: user cannot disconnect from SSID after CP authentication

    Posted 21 days ago
    You can have a child self-registration that has a different login method (eg server-initiated) to the parent but is otherwise the same - I have this set up and working.

    I do have the same question, how to make the Aruba controllers do a AAA RADIUS query when the device disconnects and reconnects, it seems to cache the output for a period of time (more than an hour, since I had a policy with a timeout of 3600s and the device would get disconnected, but on reconnect it would get the same policy and so still be timed out, rather than have a full RADIUS request sent to clearpass which would have hit the MAC caching policy).

    ------------------------------
    James Andrewartha
    ------------------------------