Security

We have a fairly standard Clearpass Guest configuration and 10 IAPs.

Captive portal guest authentication works very well but we are having a real problem with sessions seemingly being dropped after relatively short periods of inactivity. Guests come to our site, get a login (either created manually or self-registration with sponsor approval), and get their iphone or ipad online. But when they put their device down for 10-15 minutes and come back to it, they find  there is no longer a connection.

Often they either have to select the wireless network again from scratch, and/or type in their clearpass login (or, if they didn't make a note of their password, go through the self-registration process again).

I'm aware some of this depends on the device (iOS has auto-connect and auto-login settings for wireless networks that require authentication) but even with those options selected, the process is far from reliable.

Simple question, is this a basic limitation of captive portal guest authentication in general, or should the user experience be better? Ideally, if we assign a guest account valid for 8 hours, we'd like the device to be seamlessly connectable for roughly that period - even if the device is not contantly is use.

Is there anything I can adjust on the Instant APs or clearpass to improve things?

Is this only happening to certain devices or it happens to everybody ?

Have you changed the reauth interval ?

Is also possible that it an issue on a particular IAP OS according to this thread:

http://community.arubanetworks.com/t5/Access-Points-and-Mesh-Routers/Captive-Portal-issue/td-p/29062/page/2

What IAP OS do you have installed ?

If you have the latest OS then I suggest you open a TAC case

That setting will definitely help but also consider doing MAC-auth as well which ClearPass can link to the guest registration.

Thank you both for your replies and advice.

After some more experimentation I think I may have found a cause of the problem.

We have a preauthentication role for guests that is limited to http and https access to the Clearpass IP only.

Once authenticated the client falls into a "Guest" role that completely locks them out of all IP ranges used internally. Critically, this included the Clearpass device itself.

I've just added a new rule above at the top of the access list, allowing traffic to Clearpass. Clients now seem to keep their connection, even if the device is not used for a while.

Contary to my last post on this, I'm not confident this was the cause of the problem. We are still seeing wireless guest users losing their sessions after relatively short periods of inactivity and being redirected to captive portal to login again.

Found this similar problem on an older version of Clearpass 3.9.

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Default-Session-Timeout-Option/td-p/51364

The solution talks about "MAC caching". In 6.2 this options looks a bit more complicated.

Can anyone advise whether MAC caching is likley to be useful in stopping sessions from timing out? And if so, how best to do it?