AAA, NAC, Guest Access & BYOD

How-To: Limit Daily Free Access

by Community Administrator on ‎09-26-2014 04:14 AM

Use Case

Guests can self-register for a free access account but the account should only be allowed a set amount of time per day. If the guest uses their maximum allowed time on a particular day, they will have to wait until the following day and re-register for another free account.

Implementation

Create a self-registration page to allow users to create their own accounts. Disable the "expire_after" field and enable the "expire_time" field. Edit the "expire_time" field and set the initial value to "today 23:59". This will expire the user at the end of the day so they will have to re-register each day for a free account.

Check what the initial value is set to for the "role_id" field. Go to that user role and edit it. Add the following attributes:

Edit or add the "Reply-Message" attribute. The attribute value isn't important but the conditional expression is. Add the following:

 return ((GetUserTime(time() - strtotime('today 00:00')) >= 30*60) && AccessReject()) ? 0 : 1

Translation: Reject the user if they've used more than 30 minutes since the start of the day.

Add a new attribute. Set the Vendor to "Standard RADIUS Attribute" and set the Attibute to "Session-Timeout". Set the Value to the following:

 <?= (30*60 - GetUserTime(time() - strtotime('today 00:00')))

Translation: Send back a Session-Timeout value of what's left of the user's daily allotment, 30 minutes in this case. If they've logged twice today, one session for 5 minutes and one for 10 minutes, this attribute will tell the controller to disconnect the user after maximum of 15 minutes. The advantage of using Session-Timeout is that it doesn't rely on RFC-3576 disconnects or RADIUS interim accounting. The controller naturally disconnects the user at the appropriate time.

Display usage information to end user

A versatile piece of code can be added to the header/footer of any page. It will display a table of useful statistics to the end user. This will help the user know why their login attempt is getting rejected. The MAC address must be passed in the redirect for the table to be displayed which AOS does by default.

File:usage block.png

This code also can be used for an Amigopod hosted Welcome Page after a guest logs in.

File:welcome page usage block.png

{assign var=traffic_limit value=1e9}
{assign var=time_limit value=30}

{nwa_radius_query _method=GetCallingStationCurrentSession callingstationid=$extra_fields.mac mac_format="%02X%02X%02X%02X%02X%02X" _assign=current_session}
 
{nwa_radius_query _method=GetCallingStationTraffic callingstationid=$extra_fields.mac mac_format="%02X%02X%02X%02X%02X%02X" from_time="today 00:00" to_time="now" _assign=traffic_used}
 
{nwa_radius_query _method=GetCallingStationTime callingstationid=$extra_fields.mac mac_format="%02X%02X%02X%02X%02X%02X" from_time="today 00:00" to_time="now" _assign=time_used}
 
{assign var=time_usedresult value=`$time_used/60`}
{assign var=traffic_remaining value=`$traffic_limit-$traffic_used`}
{assign var=time_remaining value=`$time_limit-$time_usedresult`}
{if ($time_limit-$time_usedresult) < 0}
{assign var=time_remaining value=0}
{/if}

{*Table to be displayed*}
 
{if $current_session.username}
<p>
Hello <b>{$current_session.username}</b>, you are now
logged into the WiFi network.<br></p>
 
<table {$table_class_content}>
<tr><th class="nwaTop">Device Information</th></tr>
<tr><td class="nwaBody">
{nwa_icontext icon="images/icon-info22.png" valign="middle" novspace="1"}
IP address : <b>{$current_session.framedipaddress}</b>
{/nwa_icontext}
</td></tr>
<tr><td class="nwaBody">
{nwa_icontext icon="images/icon-info22.png" valign="middle" novspace="1"}
MAC address : <b>{$extra_fields.mac}</b>
{/nwa_icontext}
</td></tr></table>
 
{else}
<p>
You are now logged into the WiFi network.
</p>
{/if}
 
 
<table {$table_class_content}>
<tr><th class="nwaTop">Your Usage</th></tr>
 
<tr><td class="nwaBody">
{nwa_icontext icon="images/icon-info22.png" valign="middle" novspace="1"}
Your daily traffic quota is
<b>{$traffic_limit|NwaByteFormatBase10:0}</b>.
{/nwa_icontext}
</td></tr>
 
<tr><td class="nwaBody">
{nwa_icontext icon="images/icon-info22.png" valign="middle" novspace="1"}
So far today, you have used
<span class="nwaImportant">
{$traffic_used|NwaByteFormatBase10:0}</span>.
{/nwa_icontext}
</td></tr>
 
<tr><td class="nwaBody">
{nwa_icontext icon="images/icon-info22.png" valign="middle" novspace="1"}
Your remaining usage for today is
<span class="nwaImportant">
{$traffic_remaining|NwaByteFormatBase10:0}</span>.
{/nwa_icontext}
</td></tr>
 
 
<tr><td class="nwabody">
{nwa_icontext icon="images/icon-clock22.png" valign="middle" novspace="1"}
Your daily time limit is
<span class="nwaImportant">
<b>{$time_limit|nwatimeformat:"minutes_to_natural"}</span>.</b>
{/nwa_icontext}
</td></tr>
 
<tr><td class="nwabody">
{nwa_icontext icon="images/icon-clock22.png" valign="middle" novspace="1"}
So far today, you have used
<span class="nwaImportant">
<b>{$time_usedresult|nwatimeformat:"%M:%S"} hours</span>.</b>
{/nwa_icontext}
</td></tr>
 
<tr><td class="nwabody">
{nwa_icontext icon="images/icon-clock22.png" valign="middle" novspace="1"}
Your remaining time for today is
<span class="nwaImportant">
<b>{$time_remaining|nwatimeformat:"%M:%S"} hours</span>.</b>
{/nwa_icontext}
</td></tr></table>
Comments
MiniMe

Hi there, 

Can you guide me on how to add the attribute for the role_id? I can't find this attribute under role_id.

 

Check what the initial value is set to for the "role_id" field. Go to that user role and edit it. Add the following attributes:

Edit or add the "Reply-Message" attribute.

 

Thanks!

khpchan

Hi Jamie,

 

 Where in CCPM do I implement

 

return ((GetUserTime(time() - strtotime('today 00:00')) >= 30*60) && AccessReject()) ? 0 : 1

and

 

<?= (30*60 - GetUserTime(time() - strtotime('today 00:00')))

 Thanks,

Peter

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.