Good day. Need some help here, I am trying to achieve the following:
1/ Mac Authentication via Wired / Wireless (Open Authentication) - Working
2/ Allow a mac authenticated devices to have access for 90 days - Having error
*Note my testbed are set to 15 minutes for testing purpose
Here is the screenshot of my Enforcement Rules:
The error I am getting:
Once I removed the above Enforcement rules and add a simple [Authenticated Source = Vendor Authentication], everything seems to work perfectly normal.
Need some help to get it working, at the moment cannot seems to figure out what is wrong :(
Thanks in advance :)
@victorfabian wrote:Make sure you have the following enabled:- Insight in CPPM- Interim Accounting in CPPM- Accounting in the WLC and Switches
Hmm I have check that the following are enabled. But I am still getting the same error :(
Interim Accounting is Enable (Service Parameters -> Log Accounting Interim-Update Packets = True)
Insight is Enable
Interim Accounting is Enable
Accounting Server Group are pointing to the right CPPM Server
Can you clarify whether you are doing any captive portal authentication prior to the MAC caching?
If you are just doing MAC authentication then I am not sure you can check the 'minutes-since-auth' attribute as this is not updated for a MAC authentication.
Can you post screenshots from the other tabs of your MAC auth service?
@dg27 wrote:Can you clarify whether you are doing any captive portal authentication prior to the MAC caching?If you are just doing MAC authentication then I am not sure you can check the 'minutes-since-auth' attribute as this is not updated for a MAC authentication. Can you post screenshots from the other tabs of your MAC auth service?
Hmm I am not using Captive Portal Authentication for this case, just purely Mac Authentication.
I see, now I have a rough understanding. Looking at the error it seems like the attribute are not captured from the end point side. Hence CPPM cannot pull the information out to check.
So I have actually enable Captive Portal for this case, in order for for "minutes-since-auth" attribute to work?
The minutes-since-auth field is used to identify the last time a user logged on with their username and password so this would require a captive portal.
What do you want to do with devices after the 90 days? Disconnect them? They would only reconnect again automatically unless you blacklisted them.
You could enforce a session timeout using the Radius:IETF Session-Timeout attribute in an enforcement profile but this requires the NAS client to support the authentication server setting the reauthentication interval. Again this would only disconnect the client temporarily as it is likely to automatically reconnect unless something is preventing them from doing this.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.