Security

I'm working on doing a self-sponsored guest registration. I've set the guest account to expire 10m after creation until the account is activated and set the session-timeout to 300s. The session timeout triggers but I can't seem to get a CoA disconnect to be sent so the user falls back to MAC authentication. They just get back the original captive portal role.

What is the best way to trigger this?

Hi I have the very same issue. I have a v6 controller and Clearpass and implementing a self sponsored guest solution.

Session timeout is sent back to controller via clearpass enforcement policy. After expiry the client is knocked down to the captive portal role but no re-authentication occurs. Configuring reauthentication under the role doesn't have any effect either.

I have also configured registration-role on the captive portal role which should also enforce a mac authentication to be generated but upon sessiont timeout but this doesn't work either. I should mention I implemented this for a v8 aruba customer and it worked fine using registration-role.

I have a TAC case open about this but it isn't progressing anywhere fast. Configuring the reauthentication timers/ registration-role or session timeouts do not result in a mac auth request in any circumstance. Any help appreciated.

Post your configuration and workflow, I might be able to help.

I got it working but I haven't worked on it for a long time. (I did it a different way)

Hi,

Basically a user creates an account with an expiration of 5 minutes (initially). That generates an auth request which receives the following attributes from clearpass.

Role = Preauth_role

Session-timeout = 300

Termination-action = Radius-request (1)

They receive and email to sponsor themselves and extend that to 7 days. 

After the session times out a new mac-auth request should be seen which verifies that the user has sponsored themselves and clearpass responds with a different role. however that mac-auth is not happening, instead after the timeout the client just drops back to captive portal role and doesn't attempt a mac auth request. I would also expect a reauthentication to occur when the user drop back to captive portal role because of the registration-role paramater that is configured, this also doesn't work .

I think i might confuse things by copying my entire captive portal clearpass/controller config in. Everything is working except the reauthentication which should happen after the radius attributes above are sent to the controller.

I'd be interested to know how you got it to work differently?