Security

Reply
Highlighted
Frequent Contributor I

Re: Logon user lifetime - not just for logon role?

I dont want to hijack this thread but was wondering if a solution was found for guests sitting in the initail role.  I have hundreds of IP's consumed with users camping in the initial role and never authenticating as well.

 

Thanks

Highlighted
Regular Contributor I

Re: Logon user lifetime - not just for logon role?

What we and the original poster is trying to do is avoid the users stuck in the logon role to use/waste ip addresses from the dhcp scope.  Sometimes we have even 70+ users stuck in this role and using ip addresses.

 

I've tested the logon-lifetime setting and it doesn't seem to kick users off.  The idle timeout does work, but only when the user doesn't ping anymore.  So this issue would still be present if the user is reponding, but not authenticating.

 

What we need is a better way of kicking users off fromthe logon role so they don't use up ip addresses.

Highlighted
Aruba Employee

Re: Logon user lifetime - not just for logon role?

Well this is actually a conversation that has come over from the S3500 side of things, so hopefully it is still relevant.

So far the logon lifetime timer being set to 1 min is working for us.
 
What Brandeis is trying to accomplish is to have a user in a mac auth profile re-attempt authentication every min after a failure. Why? Because we have device registration server that uses a captive portal to register the users mac addr. Once the registration is successful the user needs to have the role changed. When a user is in the default role for the aaa profile the re-auth timer won't trigger.

What I have seen is that this DOES work. (we are on AOS 7.1.1 (mobility switch))
Feb 14 12:11:36 :522005: <INFO> |authmgr| MAC=00:24:e8:a9:55:6a IP=10.64.129.105 User entry deleted: reason=logon role lifetime reached
Feb 14 12:12:36 :522005: <INFO> |authmgr| MAC=00:24:e8:a9:55:6a IP=10.64.129.105 User entry deleted: reason=logon role lifetime reached

That user was not in the logon roll but a default roll from the aaa profile.

Here is a time diagram of what happens.

Client registration.jpg

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: