Security

Having some challenges with something I thought originally worked when I implemented ClearPass with Aruba Wireless. I am noticing that our wireless devices doing 802.1x are not reauthing and sending the reauth requests to ClearPass and I am not getting accounting data for the reauths from each session.

I currently have our ClearPass profile attributes set as follows for our different profiles. (300 seconds for testing normally 3600s)


In the MDs under the clients authenticating I am seeing the Dot1x session parameters being set by the pushed attributes.


Can anyone tell me what I might be missing here causing the clients to not follow the reauth timers?

Thanks!
Chris

------------------------------
Christopher Calhoun
------------------------------

Could you test Terminate-Action set to "Default (0)"?
https://datatracker.ietf.org/doc/html/rfc3580#page-12 

I suspect, the Session-Timeout with Terminate-Action as "RADIUS-Request (1)" reauthenticates the clients without disassociating the client, which could result in no accounting-stop and a new start for re-authentication.

 Client re-auth followed by Session-Timeout may continue with the ongoing accounting session. All the re-auths may be sending interim-updates under the same Accounting Session ID (if the interim update is enabled). Check the client session under ClearPass >> Live Monitoring >> Accounting, the active accounting session of the client will record all the re-auth requests (RADIUS auth session-ids) in there.

------------------------------
Saravanan Rajagopal
------------------------------

Original Message:
Sent: Aug 18, 2021 09:46 AM
From: Christopher Calhoun
Subject: ClearPass Radius Reauth Timer with Aruba MDs

Having some challenges with something I thought originally worked when I implemented ClearPass with Aruba Wireless. I am noticing that our wireless devices doing 802.1x are not reauthing and sending the reauth requests to ClearPass and I am not getting accounting data for the reauths from each session.

I currently have our ClearPass profile attributes set as follows for our different profiles. (300 seconds for testing normally 3600s)


In the MDs under the clients authenticating I am seeing the Dot1x session parameters being set by the pushed attributes.


Can anyone tell me what I might be missing here causing the clients to not follow the reauth timers?

Thanks!
Chris

------------------------------
Christopher Calhoun
------------------------------

Saravanan,

I have tested both Default (0) and the Radius-Request (1). Neither seem to be doing anything at the end of the timer period. Of course we cant drop clients completely and will want to use the graceful reauth but neither seem to be working on 8.7.1.1 code. 

Here is a authed session at (11:00AM) with Default (0) set and a 300 second timer.


Session Tracker Entry: 


Session Radius Attribs:


As of 11:16 there are no Accounting updates or Reauths from the client after refreshing. :





------------------------------
Christopher Calhoun
------------------------------

Original Message:
Sent: Aug 19, 2021 05:25 PM
From: Saravanan Rajagopal
Subject: ClearPass Radius Reauth Timer with Aruba MDs

Could you test Terminate-Action set to "Default (0)"?
https://datatracker.ietf.org/doc/html/rfc3580#page-12 

I suspect, the Session-Timeout with Terminate-Action as "RADIUS-Request (1)" reauthenticates the clients without disassociating the client, which could result in no accounting-stop and a new start for re-authentication.

 Client re-auth followed by Session-Timeout may continue with the ongoing accounting session. All the re-auths may be sending interim-updates under the same Accounting Session ID (if the interim update is enabled). Check the client session under ClearPass >> Live Monitoring >> Accounting, the active accounting session of the client will record all the re-auth requests (RADIUS auth session-ids) in there.

------------------------------
Saravanan Rajagopal

Original Message:
Sent: Aug 18, 2021 09:46 AM
From: Christopher Calhoun
Subject: ClearPass Radius Reauth Timer with Aruba MDs

Having some challenges with something I thought originally worked when I implemented ClearPass with Aruba Wireless. I am noticing that our wireless devices doing 802.1x are not reauthing and sending the reauth requests to ClearPass and I am not getting accounting data for the reauths from each session.

I currently have our ClearPass profile attributes set as follows for our different profiles. (300 seconds for testing normally 3600s)


In the MDs under the clients authenticating I am seeing the Dot1x session parameters being set by the pushed attributes.


Can anyone tell me what I might be missing here causing the clients to not follow the reauth timers?

Thanks!
Chris

------------------------------
Christopher Calhoun
------------------------------

Please open a TAC case to get this investigated. A few remarks:
- The Session-Timeout is enforced at the controller, not at the client. The controller will initiate a re-authentication to the client when the session-timeout expires.
- By default on controller, the RADIUS server supplied Session-timeout (reauthentication interval) is ignored, you need to enable that setting in the AAA Authentication profile).

- I don't return the Termination-Action, just the Session-timeout. Not even sure what the Termination action does, but I seem never to have needed it.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 20, 2021 11:19 AM
From: Christopher Calhoun
Subject: ClearPass Radius Reauth Timer with Aruba MDs

Saravanan,

I have tested both Default (0) and the Radius-Request (1). Neither seem to be doing anything at the end of the timer period. Of course we cant drop clients completely and will want to use the graceful reauth but neither seem to be working on 8.7.1.1 code. 

Here is a authed session at (11:00AM) with Default (0) set and a 300 second timer.


Session Tracker Entry: 


Session Radius Attribs:


As of 11:16 there are no Accounting updates or Reauths from the client after refreshing. :





------------------------------
Christopher Calhoun

Original Message:
Sent: Aug 19, 2021 05:25 PM
From: Saravanan Rajagopal
Subject: ClearPass Radius Reauth Timer with Aruba MDs

Could you test Terminate-Action set to "Default (0)"?
https://datatracker.ietf.org/doc/html/rfc3580#page-12 

I suspect, the Session-Timeout with Terminate-Action as "RADIUS-Request (1)" reauthenticates the clients without disassociating the client, which could result in no accounting-stop and a new start for re-authentication.

 Client re-auth followed by Session-Timeout may continue with the ongoing accounting session. All the re-auths may be sending interim-updates under the same Accounting Session ID (if the interim update is enabled). Check the client session under ClearPass >> Live Monitoring >> Accounting, the active accounting session of the client will record all the re-auth requests (RADIUS auth session-ids) in there.

------------------------------
Saravanan Rajagopal

Original Message:
Sent: Aug 18, 2021 09:46 AM
From: Christopher Calhoun
Subject: ClearPass Radius Reauth Timer with Aruba MDs

Having some challenges with something I thought originally worked when I implemented ClearPass with Aruba Wireless. I am noticing that our wireless devices doing 802.1x are not reauthing and sending the reauth requests to ClearPass and I am not getting accounting data for the reauths from each session.

I currently have our ClearPass profile attributes set as follows for our different profiles. (300 seconds for testing normally 3600s)


In the MDs under the clients authenticating I am seeing the Dot1x session parameters being set by the pushed attributes.


Can anyone tell me what I might be missing here causing the clients to not follow the reauth timers?

Thanks!
Chris

------------------------------
Christopher Calhoun
------------------------------