Controller Based WLANs

How can I restrict the number of sessions per user on the controller?

Aruba Employee

Question: How can I restrict the number of sessions per user on the controller?

 

Product and Software: This article applies to all ArubaOS versions.


By default, every user role created on the Aruba controller has the maximum sessions set to 65535.
#show rights test
Derived Role = 'test'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 48/0
Max Sessions = 65535

access-list List
----------------
Position  Name    Location
--------  ----    --------
1        allowall
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any   any         any     permit                       Low                                                    4
Expired Policies (due to time constraints) = 0

Max Sessions is the maximum number of sessions that a user can have on the controller at a time. Max Sessions can be a concern especially on guest networks, which are typically configured as open system. An attacker can start a DOS attack on the controller by initiating continuous sessions on well-known ports (such as, http port 80). The maximum number of sessions that are allowed is 65535, so nothing can stop the attacker from starting this attack. As a result, the controller datapath can spike to high utilization values and can cause issues for valid clients connecting to the network.

Therefore, Aruba recommends that the maximum sessions under the user role be restricted to a reasonable value (such as 200). Any sessions that exceed this number are dropped and are not processed by the controller.
Configuration
(acws-ads-19) (config-role) #user-role test
(acws-ads-19) (config-role) #max-sessions ?
<0..65535> Session Count
(acws-ads-19) (config-role) #max-sessions 200
(acws-ads-19) #show rights test
Derived Role = 'test'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 48/0
Max Sessions = 200

access-list List
----------------
Position  Name     Location
--------  ----     --------
1         allowall
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any    any         any     permit                      Low                                                     4
Expired Policies (due to time constraints) = 0

Version history
Revision #:
1 of 1
Last update:
‎07-07-2014 10:13 AM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.