MAC auth, RADIUS Session-Timeout and Accounting Stop Packet issues
09-15-2017 04:34 AM - edited 09-15-2017 04:57 AM
Hardware is an Aruba Controller (not IAP)
Apologies if this answer is posted elsewhere, but I searched the FAQ and Forum as much as I can and couldn't find a similar topic that related to my problem.
We are using MAC authentication on an Open SSID. This is working as normal, in terms of if we reply with an Access-Accept from our RADIUS server, the user is granted access and is online. If we reply with Access-Reject, the user is sent to the captive portal we configured. All as expected thus far.
The problem we face is around how the Session-Timeout RADIUS attribute is honoured. What seems to be happening is odd to me.
If we send a Session-Timeout of 600 (10 minutes), the user is gets online and we receive an Accounting-Start packet straight away. We then receive Accounting-Interim packets every few minutes. All good so far. However, at the end of the 10 minutes, the user is kicked off as expected. But, the controller is not sending an Accounting-Stop packet to us to inform us of the session ending. Instead, the user immediately reauthenticates via mac auth, gets back on with another Session-Timeout of 600, but no new Accounting-Start packet is sent. Instead, the controller keeps the original session and continues to send Accounting-Interim updates to us as if the user never disconnnected.
How can we make it so that when the Session-Timeout is reached, and the user is kicked off, that a Stop packet is sent to RADIUS? If the device reauths, that is fine, but a new Accounting session should begin with an Accounting-Start packet.
NOTE: We are using the MAC auth/Captive portal on a wired port, not with Aruba AP's (Wireless) if that makes any difference.
I hope I have explained this correctly.
Re: MAC auth, RADIUS Session-Timeout and Accounting Stop Packet issues
09-19-2017 06:33 AM