Security

Reply
Contributor II

Guest provisonning and radius

Hi,

 

We set up guest access with an external Radius server on 8.0.3 controlers (without clearpass).

 

As it is shown in screen capture, time option may be used to limit the guest "Internet time".

 

2 questions :

- is there anyway to check the remaining connexion time on the controler (show ?)

- what sould be the radius corresponding attributs for start/end session time ?

 

Regards,

Guru Elite

Re: Guest provisonning and radius

If you setup radius interim accounting on the controller, the accounting records that say how long the user is online and how much data has been consumed would be sent to the radius server periodically (every 5 minutes is the lowest interval, I believe).  Your radius server would need a way to process that data and send a COA to the controller to change the user's status if the time is exceeded.  ClearPass does this, and to enforce user limits, your radius server would need to do that.

 

The controller itself cannot check on remaining time, but it can show you how long the user has connected/authenticated.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: Guest provisonning and radius

Hi,

 

Thx for answer.

So you mean that it is our work to change an external directory user state (accessed by radius). That is quite logical.

But considering this, 3 questions :

 

1 - if we can do such state changes, is the controler contacting frequently the radius server to check is user is still enable ? If so, could we adjust check frequence ?

 

2 - when setting up a basic captive portal with internal db, it seems that we can set begin and end session time (as shown on first screen capture). It make us think that controler can let packet pass considering such attributs (right ?)

If so, what would be there name ? If we could value similar external radius atts, controler should be capable to use it in the same way ?

 

3 - last (sorry), what about the classic session-time that we can find in severral radius conf ? Does controler respect such atts value ? We understand that this will NOT make the user unavailable after session time end, but is the session really kicked off after session-time ?

 

Regards,

Guru Elite

Re: Guest provisonning and radius

1.  The controller would rely on the radius server to send either a "idle-Timeout" attribute that would automatically disconnect the user after the time (The controller would need to be configured to expect that - Very few people do this).  You can alternatively set in the user role an idle-timeout parameter to re-check the user credentials (nobody does this).  Or the radius server will send a COA to the user when the radius believes the data or time limit was exceeded.

 

2.  You can only do that for the internal user database.  External databases are not supported for that.

 

3.  You can send a idle-timeout radius parameter, but the controller would need to be configured to expect such a parameter from the radius server (nobody does this).

 

Again, the best way to do this is with ClearPass or another policy server that is design to make it easy on the administrator to do such things.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: