How to configure the Radius session timeout with Aruba Instant Captive Portal?

Aruba Employee
Aruba Employee

When implementing the Captive Portal solution with Aruba Instant Access Point (IAP), you might want to set the duration for which the clients are allow to access the wireless network and have the  users to re-login after the session has timing out.


If you are using external Radius servers such as Freeradius, Microsoft IAS for authentication, you could set the session-timeout attribute and return the value in the Radius Accept message. The Internal Radius server instance does not support this attribute.



Definition of the Session-Timeout extracted from RFC 2865



      This Attribute sets the maximum number of seconds of service to be
      provided to the user before termination of the session or prompt.
      This Attribute is available to be sent by the server to the client
      in an Access-Accept or Access-Challenge.

   A summary of the Session-Timeout Attribute format is shown below.
   The fields are transmitted from left to right.


0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   |     Type      |    Length     |             Value
              Value (cont)         |


      27 for Session-Timeout.





The field is 4 octets, containing a 32-bit unsigned integer with
      the maximum number of seconds this user should be allowed to
      remain connected by the NAS.


Environment : IAP-105 running



No specific configuration is needed on the Instant Access Point (IAP). This attribute is configured on your Radius server.


The following configuration excerpt show the session timeout to set 3600 seconds. Note that, this example should only be used for lab verification only. More complex and secure encryption need to be implemented in production environment.

user1   Cleartext-Password := "password"
        Service-Type = Framed-User,
        Session-timeout=3600,  -------------------------> This set the session timeout to 3600 seconds
        Framed-Protocol = PPP,
        Framed-Routing = Broadcast-Listen,
        Framed-Filter-Id = "std.ppp",
        Framed-MTU = 1500,
        Framed-Compression = Van-Jacobsen-TCP-IP



Once the session timer had timeout, the user will be presented with the Captive Portal splash page again in the browser.



The first thing to do is to make sure that the attribute is configured in the Radius server. If you believe that it is configured correctly, Enable the Terminal Access on the IAP, Telnet or SSH to the IAP and run the following command to verify that the value is correctly bind to the user.

Example: Check the value under the Session Timeout column.

d8:c7:c8:ww:yy:xx# show client debug

Client List
Name    IP Address      MAC Address        OS     Network       Access Point       Channel  Type  Role          Signal    Speed (mbps)  Auth Age  Session Timeout  ESSID         Authenticated  DEL  Last Update  Vlan        Essid              Acl               Accouting Session Name  Accouting Start time  BSSID              Idle Timeout
----    ----------      -----------        --     -------       ------------       -------  ----  ----          ------    ------------  --------  ---------------  -----         -------------  ---  -----------  ----        -----              ---               ----------------------  --------------------  -----              ------------
user1  24:77:03:d1:1b:a0  Linux  Guest-Access  d8:c7:c8:ww:yy:xx  149+     AN    Guest-Access  58(good)  6(poor)       46        3600               Guest-Access  yes            no   2h:45m:2s    3333(SSID)  Guest-Access(N/A)  134(RADIUS-ffff)  user1

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 02:25 PM
Updated by:
Labels (1)
Tags (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: