When implementing the Captive Portal solution with Aruba Instant Access Point (IAP), you might want to set the duration for which the clients are allow to access the wireless network and have the users to re-login after the session has timing out.
If you are using external Radius servers such as Freeradius, Microsoft IAS for authentication, you could set the session-timeout attribute and return the value in the Radius Accept message. The Internal Radius server instance does not support this attribute.
Definition of the Session-Timeout extracted from RFC 2865
Session-Timeout
Description
This Attribute sets the maximum number of seconds of service to be
provided to the user before termination of the session or prompt.
This Attribute is available to be sent by the server to the client
in an Access-Accept or Access-Challenge.
A summary of the Session-Timeout Attribute format is shown below.
The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Value
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Value (cont) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
27 for Session-Timeout.
Length
6
Value
The field is 4 octets, containing a 32-bit unsigned integer with
the maximum number of seconds this user should be allowed to
remain connected by the NAS.
Environment : IAP-105 running 6.1.3.4-3.1.0.1
No specific configuration is needed on the Instant Access Point (IAP). This attribute is configured on your Radius server.
Example:
The following configuration excerpt show the session timeout to set 3600 seconds. Note that, this example should only be used for lab verification only. More complex and secure encryption need to be implemented in production environment.
user1 Cleartext-Password := "password"
Service-Type = Framed-User,
Session-timeout=3600, -------------------------> This set the session timeout to 3600 seconds
Framed-Protocol = PPP,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
Once the session timer had timeout, the user will be presented with the Captive Portal splash page again in the browser.
The first thing to do is to make sure that the attribute is configured in the Radius server. If you believe that it is configured correctly, Enable the Terminal Access on the IAP, Telnet or SSH to the IAP and run the following command to verify that the value is correctly bind to the user.
Example: Check the value under the Session Timeout column.
d8:c7:c8:ww:yy:xx# show client debug
Client List
-----------
Name IP Address MAC Address OS Network Access Point Channel Type Role Signal Speed (mbps) Auth Age Session Timeout ESSID Authenticated DEL Last Update Vlan Essid Acl Accouting Session Name Accouting Start time BSSID Idle Timeout
---- ---------- ----------- -- ------- ------------ ------- ---- ---- ------ ------------ -------- --------------- ----- ------------- --- ----------- ---- ----- --- ---------------------- -------------------- ----- ------------
user1 192.168.11.227 24:77:03:d1:1b:a0 Linux Guest-Access d8:c7:c8:ww:yy:xx 149+ AN Guest-Access 58(good) 6(poor) 46 3600 Guest-Access yes no 2h:45m:2s 3333(SSID) Guest-Access(N/A) 134(RADIUS-ffff) user1