Question about session timeout for L3 web auth
09-22-2017 12:38 AM - edited 09-22-2017 01:12 AM
We're facing an issue whilst trying to use both captive portal and mac auth together.
When the user conencts to the SSID, we trigger a MAC auth request. If the user is known, we let them on, and if not, they get a pcative portal splash page. When they authnticate on the splash page and the controller performs the RADIUS auth to our server, we reply with a Session-Timeout value. We can see the Aruba receives this and applies it.
The problem is that when the Session-Timeout is reached, and the user is removed from the authenticated state, it keeps the user in some L3 web auth "logon" role, and never tries to MAC Auth again. This seems strange, as we would assume once a user is kicked off, any auth method enabled on that SSID should be attempted, so a MAC auth request should be triggered.
Any idea why it does this? We need a way to get the user back online without intervention or another captive portal prompt, if they exceed the original Session-Timeout but are still using the WiFi. Hence we need them to be re-authed by MAC auth.
Strangely, if they reach the "Idle-Timeout" limit we also set, then the controller DOES remove them from the L3 web auth role, and MAC auth is performed. Or, if we issue a CoA disconnect, it removes the L3 web auth role. So, why doesn't Session-Timeout being reached do the same?
So to simplify my question, how can we make users that logged on through the captive portal, be removed from the logon role as soon as the Session-Timeout expires, so a MAC auth is then triggered.
Re: Question about session timeout for L3 web auth
10-18-2018 02:38 AM
We are working with TAC on this issue. If I get a solution I will provide it to you. But the work on this issue is a little bit confusing. We are discussing if the behaviour of the controller is a bug or a feature?! My opinion is that it is a bug....