Radius Authentication

Question

I will first tell you a little bit about how I am set up.

I have wireless clients connecting to an ARUBA Mobility Controller using a RADIUS server for Authentication. I need to ensure I can get modify accounts in real time.

For example, if I lock an account or change the password I (Ideally) want the user to be kicked off right away.

I tried testing this, and the first time I changed the password it kicked my user off but each time after that they stayed logged in. Is there some way to manage this on the RADIUS server side or some other way to get this done?

NOTE: This was tested with an iphone, is there some sort of refresh interval that the phone checks into the server with? (Same question for laptops).

Any insight would be helpful! Thanks :)

score 1 · Accepted Answer · answered Feb 12 '14 at 20:50

Once the WLC and the RADIUS server authenticate the user, their conversation is complete. There is no event sent from the DC to the RADIUS server or WLC to say "Disconnect this user, they are disabled now".

The wireless client will reauth at some point, and it is only then that the auth will fail because of a disabled account.

It's not possible for this to happen in 'real time' with these products as they exist out of the box.

score 0 · Answer 2 · answered Jun 30 '14 at 01:11

0

There's no way to disconnect client immediately as you lock their account. Consider periodic re-authentication to at least ensure that authenticated session won't last longer than configured timeout. See how it works on cisco for example:

answered Jun 30 '14 at 01:11

Max Doronin

1

Radius Authentication

2 Answers2