Security

Are you sending a CoA? How are you accomplishing this? Is there a session lifetime configured on the controller instead?

Also why AOS8 and not AOS10?

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

Your role is visitor. Did you setup re-auth interval to 600 seconds on this role?

SSID re-auth is not relevant if you assign different role to the user.

Best, Gorazd

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

Are you sending a CoA? How are you accomplishing this? Is there a session lifetime configured on the controller instead?

Also why AOS8 and not AOS10?

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

Hi,

Tried it with enforcement profile session timeout.
Then after x seconds he comes back to captive portal.
No Mac-auth but goes to initial role without asking to clearpass.
Best thing is CoA sending disconnect after 600secs.

But don't know how I can trigger this in clearpass enforcement.

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

What is services sequence?

You should have MAC Auth with MAC Caching before Captive portal login.

Best, Gorazd

Hi,

Tried it with enforcement profile session timeout.
Then after x seconds he comes back to captive portal.
No Mac-auth but goes to initial role without asking to clearpass.
Best thing is CoA sending disconnect after 600secs.

But don't know how I can trigger this in clearpass enforcement.

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

Are you sending a CoA? How are you accomplishing this? Is there a session lifetime configured on the controller instead?

Also why AOS8 and not AOS10?

The sequence is correct.
First Mac-auth then user-auth.
The flow works correct if I manually disconnect the client from the controller.
Then the client comes back and does a Mac-auth.

Issue is to automate a disconnect after a user-auth after 600seconds.
Session timeout via enforcement doesn't trigger Mac-auth.
Role re-auth in gateway/MC (conductor) doesn't trigger also no Mac-auth.

If I could send a CoA in enforcement of user-auth to disconnect user after 600seconds would be great.
Like I do manaully and re-auth it against the clearpass.

What is services sequence?

You should have MAC Auth with MAC Caching before Captive portal login.

Best, Gorazd

Hi,

Tried it with enforcement profile session timeout.
Then after x seconds he comes back to captive portal.
No Mac-auth but goes to initial role without asking to clearpass.
Best thing is CoA sending disconnect after 600secs.

But don't know how I can trigger this in clearpass enforcement.

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

Hi.

Yes, you can send CoA in enforcement profile.

You can use [AOS-CX - Disconnect] or [AOS-CX Bounce Switch Port] enforcement profiles to disconnect the user.

You will find required attributes in RADIUS Dynamic Authorization Templates.

Best, Gorazd

Best, Gorazd

The sequence is correct.
First Mac-auth then user-auth.
The flow works correct if I manually disconnect the client from the controller.
Then the client comes back and does a Mac-auth.

Issue is to automate a disconnect after a user-auth after 600seconds.
Session timeout via enforcement doesn't trigger Mac-auth.
Role re-auth in gateway/MC (conductor) doesn't trigger also no Mac-auth.

If I could send a CoA in enforcement of user-auth to disconnect user after 600seconds would be great.
Like I do manaully and re-auth it against the clearpass.

What is services sequence?

You should have MAC Auth with MAC Caching before Captive portal login.

Best, Gorazd

Hi,

Tried it with enforcement profile session timeout.
Then after x seconds he comes back to captive portal.
No Mac-auth but goes to initial role without asking to clearpass.
Best thing is CoA sending disconnect after 600secs.

But don't know how I can trigger this in clearpass enforcement.

AOS8 since customer doesn't have budget to migrate to AOS10.

CoA works but I don't send it.
Session timeout send by clearpass triggers to go back logon role.
Where everything fails again.

I want to do Mac-auth after x seconds/minutes and should work as a charm then.

Someone else had same issue?

Are you sending a CoA? How are you accomplishing this? Is there a session lifetime configured on the controller instead?

Also why AOS8 and not AOS10?