Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest Timeout

This thread has been viewed 0 times

  • 1.  Guest Timeout

    Posted Jun 20, 2012 01:49 PM

    We have been facing an issue that may be related to inactivity on the guest network.  After a period of time guests are no longer able to communicate with the network.  The user still apears in the user table in the correct role however they cannot ping anything or browse the web.  They can be pinged by the controller.  The only way for them to function again is to disconnect from the SSID and connect and authenticate again.  This is very troublesome in meetings etc.  we have increased the user idle timeout value to 900 but it did not seem to help.  I am confused how a loptop that is not hibernating can be sending no traffic that would keep the connection alive.  Has anyone else experienced this?  It doesnt seem that this should be an expected behavior. I did notice the output below in the user debug output as the last communication from the client.

     

    Jun 20 10:30:46 :501065:  <DBUG> |stm|   Get Next/Get Request mac is 00:1b:77:2c:3b:ff

    Jun 20 10:40:59 :501065:  <DBUG> |stm|   Get Next/Get Request mac is 00:1b:77:2c:3b:ff

    Jun 20 10:51:11 :501065:  <DBUG> |stm|   Get Next/Get Request mac is 00:1b:77:2c:3b:ff

    Jun 20 11:01:23 :501065:  <DBUG> |stm|   Get Next/Get Request mac is 00:1b:77:2c:3b:ff

    Jun 20 11:11:35 :501065:  <DBUG> |stm|   Get Next/Get Request mac is 00:1b:77:2c:3b:ff

     



  • 2.  RE: Guest Timeout

    Posted Jun 20, 2012 02:06 PM

    I would recommend running a 'show datapath session table | include xxxxx'  where xxxx is the mac address or IP address for one of these clients.

     

    This command will show you what traffic is being detected to/from each device.   

     

    I would agree with you that its pretty -rare- to have a device truly being idle.... this command will show you what is coming and going.

     

    Let's start with that.



  • 3.  RE: Guest Timeout

    Posted Jun 20, 2012 02:46 PM

    Thanks for the input.  We have enabled debugging on the user mac and the output below points to a deauth from the client.  TAC is waiting for more output but feels this is when the disconnect occurs.  The real question now is why the deauth.  Drivers were mentioned however this is happening to more that the occasional client and the laptops are new.

     

    (14:26:51): Jun 20 10:22:52 :501105:  <NOTI> |stm|  Deauth from sta: 00:1b:77:2c:3b:ff: AP 172.16.164.7-00:0b:86:38:70:73-BF-B3-Robb Reason Unspecified Failure Jun 20 10:22:52 :501065:  <DBUG> |stm|  Sending STA 00:1b:77:2c:3b:ff message to Auth and Mobility Unicast Encr WPA 8021X AES Multicast Encr Dynamic WPA,WPA2 8021X TKIP VLAN 0x4, wmm:0, rsn_cap:0