Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Deleted guest user is still online

This thread has been viewed 14 times

  • 1.  Deleted guest user is still online

    Posted May 22, 2017 04:20 AM

    Hi,

    probablly we have a design issue.

    We have deleted an active guest user (via captive portal), but the guest user is still connected. Is there any way to force a reauthentication, so that deleted users are not able to reauthenticate?

     

    Best regards



  • 2.  RE: Deleted guest user is still online

    MVP EXPERT
    Posted May 22, 2017 05:06 AM

    Is it a controlller based deployment? How are the Guest users authenticating (via internal db or Clearpass?). The quickest method is to delete the entry from the user-table :

     

    (Aruba) #aaa user delete ?
A.B.C.D                 Match IP address
all                     Delete all users. Can take upto 5 mins if there are 
                        large number of users getting deleted
ap-ip-addr              Match AP IP address
ap-name                 Match AP name
mac                     Match MAC address
name                    Match user name
role                    Match role name

     

     



  • 3.  RE: Deleted guest user is still online

    Posted May 22, 2017 05:10 AM

    Hi,

    we have a controller-based enviroment with no Clearpass.

    Our goal is, that our secretary can delete guest users via the webui (guest role).

    Is there a timeout or re-authenticate value for authenticated guest users?



  • 4.  RE: Deleted guest user is still online

    MVP EXPERT
    Posted May 22, 2017 05:23 AM

    Hi....apologies if this appears 3 times, it won't seem to save the post!

    Have a look at your User Idle Timeout under the Captive Portal Authentication  Profile ( Configuration > Security > Authentication > L3 Authentication)

     

    If however that is not configured, the Global Timers will come into effect.

     

    (WLC) #show aaa timers 

Global User idle timeout = 900 seconds
Auth Server dead time = 5 minutes
Logon user lifetime = 5 minutes
User Interim stats frequency = 300 seconds

     



  • 5.  RE: Deleted guest user is still online

    Posted May 22, 2017 05:28 AM

    The User idle timeout wasn't set. Now I set it to 300 Sec.

     

    But, I understand it as a timeout feature. So if the deleted guest user is still active then the counter will not increase...



  • 6.  RE: Deleted guest user is still online

    EMPLOYEE
    Posted May 22, 2017 06:06 AM

    Schinida,

     

    The guest user, when deleted, it's role should change to "logon" which would require them to login again.  If they login again, they would be allowed to continue.  If you are using unique usernames for guest and you delete the username that the guest is using, the guest would not be able to login again and continue his/her session.



  • 7.  RE: Deleted guest user is still online

    Posted May 23, 2017 12:50 AM

    Thanks for the infos. It sounds good, but it is not working correctly.

    1. Create an local guest user

    USER:adminuser@10.2.2.58 COMMAND:<local-userdb-guest add username "test" password ****** start-time "05/22/2017" "09:53" expiry time "05/22/2017" "17:53"

    2. Login to the guest wlan with captive portal and guestuser test

    User Authentication Successful: username=test MAC=00:26:b6:f4:c2:5b IP=10.2.30.99 role=guest VLAN=130 AP=AP35 SSID=campus-gast AAA profile=campus-gast-aaa_prof auth method=Web auth server=Internal

    3. Surf the web via captive portal and ping internet addresses

    4. Delete the user via Webui

    USER:adminuser@10.2.2.58 COMMAND:<local-userdb-guest del username "test" > -- command executed successfully

    5. Disconnect WLAN on the notebook -> notebook is offline

    6. Connect to WLAN guest network again

    2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 XXX-WLAN1 stm[1800]: <501100> <NOTI> <XXX-WLAN1 10.2.171.241> Assoc success @ 12:14:17.891347: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

    2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501100> <NOTI> |AP AP35@10.2.171.148 stm| Assoc success @ 12:14:17.883057: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

    2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501095> <NOTI> |AP AP35@10.2.171.148 stm| Assoc request @ 12:14:17.882277: 00:26:b6:f4:c2:5b (SN 2): AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

    2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501093> <NOTI> |AP AP35@10.2.171.148 stm| Auth success: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35

    2017-05-22 12:14:17 Local0.Notice 10.2.171.241 May 22 12:14:17 2017 10.2.171.148 stm[867]: <501109> <NOTI> |AP AP35@10.2.171.148 stm| Auth request: 00:26:b6:f4:c2:5b: AP 10.2.171.148-6c:f3:7f:96:a1:19-AP35 auth_alg 0

    7. The guest user can login and will not be prompted for login credentials.

    Is this a normal behaviour?