AAA, NAC, Guest Access & BYOD

How to limit ClearPass guest concurrent/simultaneous sessions?

Aruba Employee
Requirement:

This article is about restricting guest user concurrent sessions using insight database.

 

Prerequisites:

  • Insight should be enabled on at least one node in the cluster.
  • Accounting should be enabled with interim update in the network devices(NAS).
  • Interim accounting should be logged in the ClearPass nodes as shown below.

 



Solution:

Guest user active device count can be retrieved from insight database with the help of below query.

select count(distinct calling_station_id) as active_sessions from radius_acct where end_time is null and username = '%{Authentication:Username}' and calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}' and updated_at > now() - interval '1 hour'

 

Note: This article is focused on finding the guest active devices on the network and restrict access when the limit is exceeded. Complete guest configuration is out of scope here, please visit the link below for ClearPass Guest integration or search our community for guest implementation queries.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961 



Configuration:

Steps:

 

1. Add the above query in the authentication source "[Insight Repository]" under Configuration >> Authentication >> Sources >> [Insight Repository] >> Attributes as shown below.

 

2. Map [Insight Repository] as authorization source in guest user authentication service and add the rule as shown below in the enforcement policy to restrict the guest user active session as required.

Note: Authorization tab may not be visible in the service if it is not enabled under the Service tab.

 

In the above rule the guest user concurrent devices limit is restricted to three devices.



Verification

Please find the below screen capture confirming three active session for the user "guest@test.com".

 

Access Tracker >> Input >> Authorization Attributes will also reflect the active_session count.

 

The fourth client that tries to connect using the same account is denied access as per the policy.

 

Version history
Revision #:
2 of 2
Last update:
‎07-25-2017 09:44 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.