Wireless Access

Hello,

we have a working guest environment but we want to de-auth the clients after some hours.

Authentication mode in ClearPass Guest is Anonymous.
If the Endpoint is not known in the Endpoint Repository the Captive Portal appears. Click the Accept-Button and you are online.

When the client reconnects, the username is not the MAC-Address anymore, but the anonymus username configured in "Web Logins".

The Endpoint instead has an attribute "MAC-Auth Expiry". Older Endpoints have Unix-Timecode from the past but they still match the Mac-Auth Service and are connected without Captive Portal.

I've configured an Enforcement Profile

Type; Name; Value
Radius:IETF;Session-Timeout;3600
Radius:IETF;Termination-Action;RADIUS-Request(1)

The sessions really seems to timeout, but they still match the MAC-Auth Service and are connected without captive-portal.

What is the issue here?

Cheers,

Generally you have 2x services for this. The first sequential service is MAC auth and the other is user auth with MAC caching service.

In your case after the MAC caching session expires, the user will  get disconnected with CoA  and will then re-auths and matches the MAC auth service (since it is before the MAC caching service). In that service, you have 4x roles (by default if you have used the wizard to create wireless guest service). One of the roles is "MAC caching" and the other is "Guest". So your device will have the Guest role. 

So in your enforcement policy you should have a rule for "Guest" role and redirect it to the captive portal. see below, rule 5 in Enforcement policy 

The enforcement profile "Aruba Redirect access" will have the use-role name that ClearPass will send to your AP/gateways that matches the Guest captive portal redirect user role that is already configured on your AP/gateway.

Hello,

we have a working guest environment but we want to de-auth the clients after some hours.

Authentication mode in ClearPass Guest is Anonymous.
If the Endpoint is not known in the Endpoint Repository the Captive Portal appears. Click the Accept-Button and you are online.

When the client reconnects, the username is not the MAC-Address anymore, but the anonymus username configured in "Web Logins".

The Endpoint instead has an attribute "MAC-Auth Expiry". Older Endpoints have Unix-Timecode from the past but they still match the Mac-Auth Service and are connected without Captive Portal.

I've configured an Enforcement Profile

Type; Name; Value
Radius:IETF;Session-Timeout;3600
Radius:IETF;Termination-Action;RADIUS-Request(1)

The sessions really seems to timeout, but they still match the MAC-Auth Service and are connected without captive-portal.

What is the issue here?

Cheers,

We have solved it differently now.
A normal ClearPass Service Wizard "Guest Access" was configured. In the SSID configuration in Aruba Instant, a "Reauth Interval" was configured under Security.

The old Guest Service Configurations were disabled/deleted.

Generally you have 2x services for this. The first sequential service is MAC auth and the other is user auth with MAC caching service.

In your case after the MAC caching session expires, the user will  get disconnected with CoA  and will then re-auths and matches the MAC auth service (since it is before the MAC caching service). In that service, you have 4x roles (by default if you have used the wizard to create wireless guest service). One of the roles is "MAC caching" and the other is "Guest". So your device will have the Guest role. 

So in your enforcement policy you should have a rule for "Guest" role and redirect it to the captive portal. see below, rule 5 in Enforcement policy 

The enforcement profile "Aruba Redirect access" will have the use-role name that ClearPass will send to your AP/gateways that matches the Guest captive portal redirect user role that is already configured on your AP/gateway.

Hello,

we have a working guest environment but we want to de-auth the clients after some hours.

Authentication mode in ClearPass Guest is Anonymous.
If the Endpoint is not known in the Endpoint Repository the Captive Portal appears. Click the Accept-Button and you are online.

When the client reconnects, the username is not the MAC-Address anymore, but the anonymus username configured in "Web Logins".

The Endpoint instead has an attribute "MAC-Auth Expiry". Older Endpoints have Unix-Timecode from the past but they still match the Mac-Auth Service and are connected without Captive Portal.

I've configured an Enforcement Profile

Type; Name; Value
Radius:IETF;Session-Timeout;3600
Radius:IETF;Termination-Action;RADIUS-Request(1)

The sessions really seems to timeout, but they still match the MAC-Auth Service and are connected without captive-portal.

What is the issue here?

Cheers,