Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Change timeout or authentication method

This thread has been viewed 5 times

  • 1.  Change timeout or authentication method

    Posted Jun 11, 2013 03:26 AM

    Hi.

     

    I have a solution where guests are presented with a controller based captive portal (AOS 6.1.3.8). These guests (or a least a small number of end points) should not have to reauthenticate after being idle in 255 minutes.

     

    I cannot set timer higher than 255 minutes. I can use MAC authentication and fail-through to captive portal, but the customer is not willing to update MAC tables as these end points change at least once a year.

     

    Will CPPM give the customer the opportunity to update MAC table with certain guest logins or am I missing another way to do this??



  • 2.  RE: Change timeout or authentication method

    Posted Jun 11, 2013 05:08 AM

    Set the user idle timeout value.

    The value of this field is in minutes. . To prevent the user from timing out set the value of this field to 0.
    The user idle timeout is the time in minutes for which the switch maintains state of an unresponsive client. If the client does not respond back to the switch within this time, the switch deletes the state of the user. The user will have to re-authenticate to gain access once the user state has been deleted. Set the value of the user idle timeout. The value of this field is in minutes



  • 3.  RE: Change timeout or authentication method



  • 4.  RE: Change timeout or authentication method

    Posted Jun 11, 2013 06:18 AM

    According to CRG, the value of parameter idle-timeout is between 1-15300 (seconds)

     

    AAA timers idle-timeout <1-15300>

     

    Unfortunately, I am unable to test this today, but I will test it tomorrow and give info back.



  • 5.  RE: Change timeout or authentication method

    Posted Jun 11, 2013 07:10 AM

    Tested and not possible.

     

    Output from CLI:

    (aruba3400) (config) #show aaa timers

    User idle timeout = 15300 seconds Auth Server dead time = 10 minutes Logon user lifetime = 5 minutes User Interim stats frequency = 300 seconds

    (aruba3400) (config) #aaa timers idle-timeout 0

                                                  ^

    % Invalid input detected at '^' marker.

    (aruba3400) (config) #aaa timers idle-timeout 0 seconds                                                 ^

    % Invalid input detected at '^' marker.

    (aruba3400) (config) #no aaa timers idle-timeout 15300

    (aruba3400) (config) #show aaa timers

    User idle timeout = 300 seconds

    Auth Server dead time = 10 minutes

    Logon user lifetime = 5 minutes

    User Interim stats frequency = 300 seconds

    (aruba3400) (config) #aaa timers idle-timeout 15300 seconds

     

    So it is not possible to set the idle-timeout to 0, if deleted using no aaa timers the value is set to default 300 seconds.

     

    Any other suggestions??



  • 6.  RE: Change timeout or authentication method

    Posted Sep 17, 2013 08:08 AM

    Same problem. How can I increase the time, or use 0 to disable?