Security

Dear ,

I'm using Aruba650(6.3.0.1) + Clearpass( 6.2.3.57998 ) for portal authentication.

the initial logon-role is guest-logon ,and my question is how to disconnect these devices or users automatically ?

for example: when an device or user pending on the connection of guest-logon role for more than 5mins,it will be kick off from the controller.

(like schedule task runs the command line: "aaa user delete role guest-logon" every 5 mins)

Please advice me.

First question is why? What are you trying to accomplish by kicking users off that haven’t login? If they are no doing anything they will not know they have been booted from the controller and if they are trying to login at that 5-minute mark then they will have to try to re-login. If the device is in someone pocket, book bag, desk or wherever it’s not being used then the device will automatically reconnect and then you are back to square one. 

Because SES-Guest is an open SSID for guest. By default, all network connections are set to obtain IP addresses automatically.
Normally, an guest could finished the logon process in a certain period(5mins or 10mins).and after authentication accepted , the user role will be set from "guest-logon" to "guest".

So only following cases , the user will be disconnected.
1. Authorized devices been connected before but not being used at the moment.
2. Unauthorized devices trying to connect SES-Guest but cannot pass the Web-Authorization.
(We only have specified a C segment(192.168.x.x) to Guest network resulting  a hypothetical situation, If enough devices with malicious intent connecting as "guest-logon" will cause DHCP exhaustion.)

And my thinking is refer to the "Age" column to kick users off rather than process the command line"aaa user delete role guest-logon" in a certain period(30mins or 1 hour). <-- Also could showing the administrator an currently active users' list.

So the polling of connect & disconnect is acceptable.