Wireless Access

I have users that have their devices turned off and aren't aging out of user table. I've even had them (via phone) confirm that power is completely removed from the device for 10+ minutes. I set the global user idle timeout to 300 seconds but I'm thinking there is another setting I'm missing that is keeping them in the table for much longer. Is there somewhere in the AAA profile I can look?

As always, thank you!

-Rosie

What version of ArubaOS is this?

There is another idle timeout that can be set in the aaa profile.  Type "show user-table" and find your user.  In the "profile" column, will be the AAA profile that is assigned to that user.  Type "show aaa profile <that aaa profile>".  You should see below:

(Aruba7660-US) # show aaa profile employee-aaa_prof

AAA Profile "employee-aaa_prof"
-------------------------------
Parameter                           Value
---------                           -----
Initial role                        authenticated
MAC Authentication Profile          N/A
MAC Authentication Default Role     guest
MAC Authentication Server Group     default
802.1X Authentication Profile       dot1x_prof-skn93
802.1X Authentication Default Role  authenticated
802.1X Authentication Server Group  employee-srvgrp-vrk60
Download Role from CPPM             Disabled
Set username from dhcp option 12    Disabled
L2 Authentication Fail Through      Disabled
Multiple Server Accounting          Disabled
User idle timeout                   0 sec
Max IPv4 for wireless user          2
RADIUS Accounting Server Group      N/A
RADIUS Roaming Accounting           Disabled
RADIUS Interim Accounting           Disabled
XML API server                      192.168.1.236
RFC 3576 server                     192.168.1.32
User derivation rules               N/A
Wired to Wireless Roaming           Disabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled
PAN Firewall Integration            Disabled
Open SSID radius accounting         Disabled

If this is a guest user, the captive portal authentication profile for that user also has a user idle timeout that can override the global user idle timeout.

Thanks for that update. The AAA profile has the user idle timeout set to 240 seconds and the captive portal policy does not have the check box ticked.

Any other setting that can force the deletion? If the device is unplugged from power (and requires power to stay on) then after 300 seconds or even 240 seconds they should be cleared right? 

Not really.  In the SSID profile, under advanced, there is a station ageout timer which determines that after X seconds of no frames from the client, the client will get kicked off.  By default it is 1000 seconds.  You can change that to match your global user idle timeout and see if it helps.

I'll give it a try and report back after several days of no complaints.

Thanks again,

Rosie

Sir,

how did you manage to set the user-idle-timeout to 0 seconds? the default is 30 to 43200 seconds.

Thank you,

@rosie wrote:

I have users that have their devices turned off and aren't aging out of user table. I've even had them (via phone) confirm that power is completely removed from the device for 10+ minutes. I set the global user idle timeout to 300 seconds but I'm thinking there is another setting I'm missing that is keeping them in the table for much longer. Is there somewhere in the AAA profile I can look?

 

As always, thank you!

 

-Rosie

Hi Rosie,

We ran into a similar situation last week (ArubaOS 6.5.3.1 - Captive Portal - Open SSID - Guest/IoT). Our help desk was advising students to power off their device for 15 minutes (although we suspect some of them were just unplugging the HDMI media sticks from the TV - and not actually powering off the streaming sticks themselves).

We adjusted our station age-out timer to 600 seconds (10 minutes) as realized the 1000 seconds is actually 16 mintues 40 seconds - and it seems to have helped with us so far (knock on wood). Help Desk is still advisng on 15 minutes (5 minutes of padding) - at least till we can get CoA functioning - still working with our ClearPass admin on that.

Maybe someone validate if this makes sense - not sure if this was just normal behavior (this was just based on debugging/tests I did with a Roku and another device) maybe I missed something:
I suspected the end-result age-out time in our environment depended on how the client device "leaves". Some devices I noticed would age-out of the User-Table 5 minutes (based on the User-Idle Timer) - but then some took the entire 1000 seconds (Station Age-Out) to leave the User-Table - which I didn't think Station Age-Out affected the User-Table only the Station-Table - http://community.arubanetworks.com/t5/Wireless-Access/Difference-between-User-Idle-Timeout-and-Station-Ageout-Time/td-p/191457

The reason I think how device leaves (based on tests I did with our Roku) -> if it sends a deauthentication/disassocation to the AP -> only take 5 minutes. If the device is purely powered off (such as yanking the cord or doesn't let the AP know it's leaving) - it took 16 minutes 40 seconds.

I was also using show ap debug client-table ap-name during my test - which showed the station-timer and timestamps for frames - and monitoring the debug messages:

(Normal Shutdown on Client)
Setting idle timer for user <mac> to 300 seconds (idle timeout: 300 ageout: 0)

(Power Cord yanked on Client)
Setting idle timer for user <mac> to 0 seconds (idle timeout: 300 ageout: 1000).

It's very strange and I'm seeing devices that aren't showing authentications even after I "aaa user delete xxx.xxx.xxx.xxxx" and see the age out restarts. 

Does anyone know if I should adjust the reauthentication or reauthentication interval for my mac authentication profile? It's currently disabled and the default interval is 86400 seconds.

You are asking us to give you advice when we are looking at your deployment through a straw.  You should consider opening a TAC case in parallel so that they can give you good, specific advice.  We would hate to just start tweaking knobs without knowing how everything is configured.

Apologies. Will do.

Thanks.