Hello,
Do Aruba Mobility controllers not honor session-timeout attributes returned from CPPM when successfully authenticated via MAC Auth?
Here is my scenario. First, I authenticate via web auth, and I have an enforcement profile set to return a RADIUS attribute session-timeout value of 60 seconds. When running the "show user" on my controller, I can see "reauth: 60," and after 60 seconds, my wireless device reauths.
Name: doej, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: Web, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=1, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 60, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: employee, role-how: 7, L2-role: clearpass-portal-logon, L3-role: employee
Essid: Organization, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:doej58671ADBC442-199
RadAcct Traffic In 412/107593 Out 355/159220 (0:412/0:0:1:42057,0:355/0:0:2:28148)
Timers: ping_reply 0, spoof reply 0, reauth 277653068
Profiles AAA:Organization-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376519708 (Wed Aug 14 18:35:08 2013)
Core User Born: 1376519706 (Wed Aug 14 18:35:06 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5
At this point my wireless device tries to reauth using MAC auth. My enforcement profile for this is also set to return session-timeout, but instead, you can see the "show user" command lists the value I originally assigned to my employee role on my controller (700 minutes, where it shows "reauth: 42000" below).
Name: 58671adbc442, IP: 10.0.128.19, MAC: 58:67:1a:db:c4:42, Role:employee, ACL:57/0, Age: 00:00:00
Authentication: Yes, status: started, method: MAC, protocol: PAP, server: ClearPass
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: Aruba VSA
VLAN Derivation: unknown
Idle timeouts: 0, ICMP requests sent: 0, replies received: 0, Valid ARP: 0
Mobility state: Wireless, HA: Yes, Proxy ARP: No, Roaming: No Tunnel ID: 0 L3 Mob: 0
Flags: internal=0, trusted_ap=0, l3auth=0, mba=1
Flags: innerip=0, outerip=0, guest=0, download=1, nodatapath=0, wispr=0
Auth fails: 0, phy_type: g-HT, reauth: 42000, BW Contract: up:0 down:0, user-how: 1
Vlan default: 128, Assigned: 0, Current: 128 vlan-how: 0 DP assigned vlan:0
Mobility Messages: L2=0, Move=0, Inter=0, Intra=0, ProxyArp=0, Flags=0x0
Tunnel=0, SlotPort=0xfc0, Port=0x1209 (tunnel 393)
Role assigment - L3 assigned role: n/a, VPN role: n/a, Dot1x cached role : n/a
Current Role name: employee, role-how: 7, L2-role: employee, L3-role: employee
Essid: Trinity, Bssid: 00:24:6c:04:66:21 AP name/group: MN-B20-WAP/Campus Wireless Phy-type: g-HT
RadAcct sessionID:58671adb58671ADBC442-1CF
RadAcct Traffic In 63/19489 Out 53/11289 (0:63/0:0:0:19489,0:53/0:0:0:11289)
Timers: ping_reply 0, spoof reply 0, reauth 279180852
Profiles AAA:Trinity-AAA, dot1x:, mac:default CP: def-role:'clearpass-portal-logon' sip-role:'' via-auth-profile:''
ncfg flags udr 0, mac 1, dot1x 0, RADIUS interim accounting 1
IP Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Core User Born: 1376520861 (Wed Aug 14 18:54:21 2013)
Upstream AP ID: 0, Downstream AP ID: 0
DHCP assigned IP address 10.0.128.19, from DHCP server 0.0.0.0
Device Type: Mozilla/5.0 (Linux; Android 4.2.2; BN Nook HD Build/JDQ39E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.94 Safari/5
Thanks in advance.