Wireless Access

I have a IAP with setting reauth timer to 0
FreeRadius return session-timer 120s
If I setup Captive portal with using the RADIUS server, session is stop after 120s
IAP can force the user to reauthenticate by captive portal.
That's okay


However, if i set the employee SSID with "WPA2-Enterprise (802.1x)"
IAP with setting reauth timer to 0
FreeRadius return session-timer 120s,
I checked the RADIUS records, there is NO reauthenticate RADIUS/EAP message come in for a long period of time.
I can only see accouting information.
Then I try to set reauth timer to 3 min, then IAP will cause user to send reauthen after 3 min.
It seems that the IAP only follows the reauth timer setting in IAP GUI but not the session-timer from RADIUS.

May I know if IAP 105 version 6.3 whether support session-timer from Radius for 802.1x authentication ?

Sir,

 

It should work.  What is the exact version of IAP that you are running?  

 

You can also use the command below to take a look at the radius packets and see if reauthentication is occurring:

show ap debug auth-trace-buf <mac address of client>

Thanks for the information.

Here is the version of the IAP

 

Version

Aruba Operating System Software.

ArubaOS (MODEL: 105), Version 6.3.1.2-4.0.0.4

Website: http://www.arubanetworks.com

Copyright (c) 2002-2014, Aruba Networks, Inc.

Compiled on 2014-02-20 at 22:26:29 PST (build 42384) by p4build

 

About the debug command, I can only retest it again on 23th/Feb after return back to office.

 

Actually, I used wireshark to capture the RADIUS traffic (EAP/RAIDUS) in previous test. 

 

if I set re-authen timer to 0 and use radius to return sesison-timer=120, I cannot find any re-authentication traffic after waiting for long time.

 

if I set re-authen timer to 15min and use radius to return sesison-timer=120, I can find re-authentication traffic after 15min only (but not 120s).

 

That make me feel the session-timer not working if using WPA2-Enterprise (EAP-PEAP).

 

Thank you

Okay.  Post when you get back into the office.  We cannot really open and make progress on a case unless we get access to your live setup.

At first, thanks for the reply.

I tried the debug command.

I cannot see the re-authentication after session timeout 120s

I can only see many rad-acct-int-update at the end of debug log

Please advise if any of my mis-configuration or version not support.





=======

Version

=======

00:24:6c:cb:63:e2# show ver

Aruba Operating System Software.

ArubaOS (MODEL: 105), Version 6.3.1.2-4.0.0.4

Website: http://www.arubanetworks.com

Copyright (c) 2002-2014, Aruba Networks, Inc.

Compiled on 2014-02-20 at 22:26:29 PST (build 42384) by p4build



AP uptime is 20 minutes 37 seconds

Reboot Time and Cause: unknown





================

Radius return AVP

================

Code: Access-Challenge response

AVP: l=6 t=Session-Timeout(27): 120





================

AP debug log

================

After AP startup, I user a mobile phone connect to the AP

There is only rad-acct-int-update found at the end of the log





00:24:6c:cb:63:e2# show ap debug auth-trace-buf



Auth Trace Buffer

-----------------

Jan 1 00:02:38 station-up * 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - - wpa2 aes

Jan 1 00:02:38 eap-id-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 1 5

Jan 1 00:02:38 eap-id-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 1 10 david

Jan 1 00:02:38 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 1 202

Jan 1 00:02:40 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 1 86

Jan 1 00:02:40 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 2 22

Jan 1 00:02:40 eap-nak -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 2 6

Jan 1 00:02:40 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 2 216

Jan 1 00:02:40 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 2 70

Jan 1 00:02:40 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 3 6

Jan 1 00:02:40 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 3 208

Jan 1 00:02:40 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 3 418

Jan 1 00:02:40 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 3 1090

Jan 1 00:02:40 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 4 1024

Jan 1 00:02:40 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 4 6

Jan 1 00:02:40 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 4 216

Jan 1 00:02:40 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 4 1086

Jan 1 00:02:40 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 5 1020

Jan 1 00:02:40 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 5 6

Jan 1 00:02:40 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 5 216

Jan 1 00:02:40 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 5 594

Jan 1 00:02:40 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 6 532

Jan 1 00:02:40 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 6 144

Jan 1 00:02:40 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 6 354

Jan 1 00:02:40 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 6 123

Jan 1 00:02:40 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 7 65

Jan 1 00:02:40 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 7 6

Jan 1 00:02:40 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 7 216

Jan 1 00:02:40 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 7 101

Jan 1 00:02:40 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 8 43

Jan 1 00:02:40 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 8 80

Jan 1 00:02:40 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 8 290

Jan 1 00:02:41 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 8 117

Jan 1 00:02:41 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 9 59

Jan 1 00:02:41 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 9 144

Jan 1 00:02:41 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 9 354

Jan 1 00:02:41 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 9 149

Jan 1 00:02:41 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 10 91

Jan 1 00:02:41 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 10 80

Jan 1 00:02:41 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 10 290

Jan 1 00:02:41 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 10 101

Jan 1 00:02:41 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 11 43

Jan 1 00:02:41 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 11 80

Jan 1 00:02:41 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 11 290

Jan 1 00:02:41 rad-accept <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22/MYRADIUS 11 167

Jan 1 00:02:41 eap-success <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 11 4

Jan 1 00:02:41 wpa2-key1 <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - 117

Jan 1 00:02:41 wpa2-key2 -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - 117

Jan 1 00:02:41 wpa2-key3 <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - 151

Jan 1 00:02:41 wpa2-key4 -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - 95

Jan 1 00:02:43 rad-acct-start -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - -

Jan 1 00:02:47 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - -

Jan 1 00:03:48 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - -

Jan 1 00:04:26 rad-acct-stop -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:22 - -

Jan 1 00:04:26 station-up * 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - - wpa2 aes

Jan 1 00:04:26 eap-id-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 1 5

Jan 1 00:04:26 eap-id-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 1 10 david

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 16 202

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 16 86

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 2 22

Jan 1 00:04:26 eap-nak -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 2 6

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 17 216

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 17 70

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 3 6

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 3 208

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 18 418

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 18 1090

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 4 1024

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 4 6

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 19 216

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 19 1086

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 5 1020

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 5 6

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 20 216

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 20 594

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 6 532

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 6 144

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 21 354

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 21 123

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 7 65

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 7 6

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 22 216

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 22 101

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 8 43

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 8 80

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 23 290

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 23 117

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 9 59

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 9 144

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 24 354

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 24 149

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 10 91

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 10 80

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 25 290

Jan 1 00:04:26 rad-resp <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 25 101

Jan 1 00:04:26 eap-req <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 11 43

Jan 1 00:04:26 eap-resp -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 11 80

Jan 1 00:04:26 rad-req -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 26 290

Jan 1 00:04:26 rad-accept <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a/MYRADIUS 26 167

Jan 1 00:04:26 eap-success <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a 11 4

Jan 1 00:04:26 wpa2-key1 <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - 117

Jan 1 00:04:26 wpa2-key2 -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - 135

Jan 1 00:04:26 wpa2-key3 <- 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - 151

Jan 1 00:04:26 wpa2-key4 -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - 95

Jan 1 00:04:26 rad-acct-start -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:04:48 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:05:49 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:06:51 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:07:52 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:08:52 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:09:53 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:10:53 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:11:54 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:12:54 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:13:54 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:14:54 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:15:54 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:16:54 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:17:55 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:18:55 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:19:55 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:20:55 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -

Jan 1 00:21:55 rad-acct-int-update -> 48:5a:3f:06:8b:cb
00:24:6c:36:3e:2a - -







==============

Configuration

==============

00:24:6c:cb:63:e2# show run

version 6.3.1.0-4.0.0

virtual-controller-country HK

virtual-controller-key
d243340901b07769aa5c6e1bbb34226f9852b913f950884c2a

name Instant-CB:63:E2

terminal-access

clock timezone none 00 00

rf-band all



allow-new-aps

allowed-ap 00:24:6c:cb:63:e2







arm

wide-bands 5ghz

80mhz-support

min-tx-power 18

max-tx-power 127

band-steering-mode prefer-5ghz

air-time-fairness-mode fair-access

client-aware

scanning





syslog-level warn ap-debug

syslog-level warn network

syslog-level warn security

syslog-level warn system

syslog-level warn user

syslog-level warn user-debug

syslog-level warn wireless













mgmt-user admin 2e96ab7b029f698668a4fc7c790ca17b



wlan access-rule default_wired_port_profile

index 0

rule any any match any any any permit



wlan access-rule wired-instant

index 1

rule 10.166.20.238 255.255.255.255 match tcp 80 80 permit

rule 10.166.20.238 255.255.255.255 match tcp 4343 4343 permit

rule any any match udp 67 68 permit

rule any any match udp 53 53 permit



wlan access-rule MYINSTANT

index 2

rule any any match any any any permit



wlan access-rule MYGUEST

index 3

rule any any match any any any permit



wlan ssid-profile MYINSTANT

enable

index 0

type employee

essid MYINSTANT

opmode wpa2-aes

max-authentication-failures 0

auth-server MYRADIUS

rf-band all

captive-portal disable

dtim-period 1

inactivity-timeout 1000

broadcast-filter none

radius-reauth-interval 60

radius-accounting

radius-interim-accounting-interval 1

dmo-channel-utilization-threshold 90

local-probe-req-thresh 0

max-clients-threshold 64



wlan ssid-profile MYGUEST

enable

index 1

type guest

essid MYGUEST

opmode opensystem

max-authentication-failures 10

vlan guest

auth-server MYRADIUS

rf-band all

captive-portal internal

dtim-period 1

inactivity-timeout 1000

broadcast-filter none

radius-reauth-interval 15

radius-accounting

radius-interim-accounting-interval 1

blacklist

dmo-channel-utilization-threshold 90

local-probe-req-thresh 0

max-clients-threshold 64



auth-survivability cache-time-out 24







wlan auth-server MYRADIUS

ip 10.166.19.238

port 1812

acctport 1813

deadtime 1

key fc502016b2032e1d04699b5cfad9b69627ea139db33df707

nas-ip 10.166.18.158

nas-id MYINSTANT

rfc3576

cppm-rfc3576-port 5999



wlan captive-portal

background-color 13421772

banner-color 16750848

banner-text "Welcome to Guest Network"

terms-of-use "This network is not secure, and use is at your own risk"

use-policy "Please read terms and conditions before using Guest
Network"

authenticated



wlan external-captive-portal

server localhost

port 80

url "/"

auth-text "Authenticated"

auto-whitelist-disable

https





blacklist-time 3600

auth-failure-blacklist-time 3600



ids

wireless-containment none





wired-port-profile wired-instant

switchport-mode access

allowed-vlan all

native-vlan guest

no shutdown

access-rule-name wired-instant

speed auto

duplex auto

no poe

type guest

captive-portal disable

no dot1x



wired-port-profile default_wired_port_profile

switchport-mode trunk

allowed-vlan all

native-vlan 1

shutdown

access-rule-name default_wired_port_profile

speed auto

duplex full

no poe

type employee

captive-portal disable

no dot1x





enet0-port-profile default_wired_port_profile



uplink

preemption

enforce none

failover-internet-pkt-lost-cnt 10

failover-internet-pkt-send-freq 30

failover-vpn-timeout 180





airgroup

disable



airgroupservice airplay

disable

description AirPlay



airgroupservice airprint

disable

description AirPrint









Confidential Communication - This e-mail (including any attachments) is confidential and may be
legally privileged. If this e-mail has been sent to you by mistake please inform us by reply
e-mail and then delete the e-mail, destroy any printed copy and do not disclose or use the
information in it.

It should work.  Please open a case with TAC so that we can get your tech-support and look at what is not working in your environment.  We cannot tell what is wrong just from the configuration.