Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive Portal Reauthentication Timer

This thread has been viewed 18 times

  • 1.  Captive Portal Reauthentication Timer

    Posted Jan 13, 2014 01:29 PM

    I have setup a captive portal using LDAP, I have everything working just fine for logins and gaining access to the web. My question is with setting a timer so a user only has to Authenticate once a day. Right now everytime a user gets disconnected from the network due to moving around and or shutting down thier device they have to reauthenticate everytime. I have tried almost every setting with not luck and now i'm looking for help.

     

    I have tweaked all these with no luck 

     

    User Idle Timeout

    Logon User Lifetime (min)

    Re-authentication Interval

     

    Model : Aruba 7210-US

    Version: 6.3.0.1



  • 2.  RE: Captive Portal Reauthentication Timer

    Posted Jan 13, 2014 04:01 PM

     

    Are you using ClearPass guest or the controller captive portal?



  • 3.  RE: Captive Portal Reauthentication Timer

    Posted Jan 13, 2014 04:15 PM

    I'm using the built in CP from the controller. 



  • 4.  RE: Captive Portal Reauthentication Timer

    Posted Jan 14, 2014 09:45 AM

     

     

    What's current value on the user idle timeout ? This should help you out

     

    show aaa timers

     

    Are clients roaming to another controller ?

     



  • 5.  RE: Captive Portal Reauthentication Timer

    EMPLOYEE
    Posted Jan 14, 2014 09:58 AM

    Unfortunately without using some type of MAC caching, a device that disconnects and then ages out of the user-table will always go into the initial-role which will require authentication.



  • 6.  RE: Captive Portal Reauthentication Timer

    Posted Mar 02, 2015 12:09 PM

    Are the aaa timers global settings?

    For a specific VAP/SSID with captive portal I need 24hrs without reauthentication, but with these "aaa timers" it is impossible.

     

    Are there issues for 255min (the maximum) for logon-lifetime?



  • 7.  RE: Captive Portal Reauthentication Timer

    EMPLOYEE
    Posted Mar 02, 2015 04:50 PM

    The AAA timer is global, so you should not touch that.  If you need to have a client reauthenticate less, you should use the Captive Portal user-idle-timeout parameter in the Captive Portal Authentication Profile:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_authentication_captive.htm

     

    " Valid range is 30-15300 in multiples of 30 seconds. Enabling this option overrides the global settings configured in the AAA timers. If this is disabled, the global settings are used"



  • 8.  RE: Captive Portal Reauthentication Timer

    Posted Mar 03, 2015 09:30 AM

    Thank you Colin.

    Our version is 6.1 and the user-idle-timeout parameter is 6.3. We have the memory limitation of 3200.

    We have 3 VAPs (2 802.1x/EAP-TLS and 1 Captive portal) on a 1 master/4 local controllers configuration.

    What are the issues if I set global user-idle-timeout to 15300?



  • 9.  RE: Captive Portal Reauthentication Timer

    EMPLOYEE
    Posted Mar 03, 2015 09:52 AM
    Increasing the global timer means that users will be in the user table long after they have already left. This will give you an inflated count of the number of users that are really on your network.