0

I will first tell you a little bit about how I am set up.

I have wireless clients connecting to an ARUBA Mobility Controller using a RADIUS server for Authentication. I need to ensure I can get modify accounts in real time.

For example, if I lock an account or change the password I (Ideally) want the user to be kicked off right away.

I tried testing this, and the first time I changed the password it kicked my user off but each time after that they stayed logged in. Is there some way to manage this on the RADIUS server side or some other way to get this done?

NOTE: This was tested with an iphone, is there some sort of refresh interval that the phone checks into the server with? (Same question for laptops).

Any insight would be helpful! Thanks :)

user207691
  • 3
  • 2

2 Answers2

1

Once the WLC and the RADIUS server authenticate the user, their conversation is complete. There is no event sent from the DC to the RADIUS server or WLC to say "Disconnect this user, they are disabled now".

The wireless client will reauth at some point, and it is only then that the auth will fail because of a disabled account.

It's not possible for this to happen in 'real time' with these products as they exist out of the box.

Ryan Newington
  • 358
  • 1
  • 6
  • If you enable RADIUS CoA, there is an on-going conversation between the NAS and and the RADIUS server so your options are then going to depend on what you're using for your RADIUS server. If you were using Windows RADIUS service, it may well recognize that there has been a change to the account's status, but I haven't yet tested that theory. – C.J. Steele Apr 23 '14 at 18:59
0

There's no way to disconnect client immediately as you lock their account. Consider periodic re-authentication to at least ensure that authenticated session won't last longer than configured timeout. See how it works on cisco for example:

Max Doronin
  • 1