Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

set a session-time-out/ desconection by enforcement

This thread has been viewed 8 times

  • 1.  set a session-time-out/ desconection by enforcement

    EMPLOYEE
    Posted Oct 06, 2017 12:47 PM

    Hello to all

     

    I am writing to kindly request a recommendation with a configuration in CPPM.

    It is necessary to create a policy to give access to customers through wireless access (Guest Manaer Captive Portal) from Monday to Friday from 9:00 am to 5:00 pm, the action to be taken after 12:40 pm will be a session timeOut or a deauth. I have documented and one of the options is to create a new filter in the "time-source" and call it with a profile in enforcement, but it is not working.

     

    Time source filter: imagen attached

     

    Enforcement profile: imagen attached

     

    Enforcement policies: imagen attached

     

    Access tracker “session-timeOut normal”: imagen attached

     

     

    Servicies: imagen attached

     

     

    Controller configuration AAA: imagen attached

     

     

     

    After 12:40 sessions are still active and dissociation does not occur, the idea is that after 12:40 the user has to re-enter the data in the captive portal.


    You could give me a recommendation, something I should be omitting. Or maybe another idea to achieve the goal?

    Thank you very much beforehand.

     

    Thanks

     

    Best Regards.

     

     



  • 2.  RE: set a session-time-out/ desconection by enforcement

    EMPLOYEE
    Posted Oct 07, 2017 04:24 AM

    After viewing your information, it looks like you try to disconnect all users from the network at 12:40pm. I assume that is a test only, because I can't really understand how that time will contribute to users allowed only from 9-5.

     

    Then it looks that you created a time-source that calculates the time till 12:40pm in seconds and returns that as the Session-Timeout to your controller.

     

    In the access tracker, I see an authentication happening just before 12:40pm (12:39:36 ART), where the timeout is sent (Session-Timeout Normal). It is not really clear what does not work as expected.

     

    Can you show the expanded Output tab from the Access-Tracker, where the authentication happens? I could not see what is the outcome of your timesource calculation, which might have an error because epoch is in UTC timezone and you probably need a local timezone [I could not verify the query for your timesource]. Note that the Session-Timeout should be a value in seconds after which the controller will re-authenticate.

     

    Also, in your example, if the client is re-authenticating just after 12:40pm, it will be just accepted for another 24h as it is between 9-5 which is in your policy.

     

    First step should be to validate that the correct Session Timeout is returned to the controller.

     

    Also, it seems to me that some interactive troubleshooting will result in faster resolution, rather than sending screenshots in this forum. You can work with your Aruba partner or Aruba TAC to get such assistance.



  • 3.  RE: set a session-time-out/ desconection by enforcement

    EMPLOYEE
    Posted Oct 16, 2017 11:26 AM

    Hello Herman,

    thanks for you acotation. thats correct this is a pre-deployment to a customer thats the reason why I´m using 12:10 hrs.

    After read your recomendation I realized that the filter doesnt work because there is an alert that says: "failed to get value for attributes"

    I attached print screens.

    May be there is and error in filter syntax.