Requirement:
This article is about restricting guest user concurrent sessions using insight database.
Prerequisites:
Guest user active device count can be retrieved from insight database with the help of below query.
select count(distinct calling_station_id) as active_sessions from radius_acct where end_time is null and username = '%{Authentication:Username}' and calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}' and updated_at > now() - interval '1 hour'
Note: This article is focused on finding the guest active devices on the network and restrict access when the limit is exceeded. Complete guest configuration is out of scope here, please visit the link below for ClearPass Guest integration or search our community for guest implementation queries.
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961
Steps:
1. Add the above query in the authentication source "[Insight Repository]" under Configuration >> Authentication >> Sources >> [Insight Repository] >> Attributes as shown below.
2. Map [Insight Repository] as authorization source in guest user authentication service and add the rule as shown below in the enforcement policy to restrict the guest user active session as required.
Note: Authorization tab may not be visible in the service if it is not enabled under the Service tab.
In the above rule the guest user concurrent devices limit is restricted to three devices.
Please find the below screen capture confirming three active session for the user "guest@test.com".
Access Tracker >> Input >> Authorization Attributes will also reflect the active_session count.
The fourth client that tries to connect using the same account is denied access as per the policy.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.