Controller Based WLANs

How to deny access for authentication request based on session limit.?

by on ‎07-09-2014 09:14 AM

When we use post auth session limit enforcement profile to limit user authentications based on session limit, users will be allowed to authenticate. However post auth check executed periodically will perform the session limit checks and initiate disconnect (Radius CoA) for client devices which are more than the configured session limit.

 

In this case, the same disconnected client can connect back even after disconnect, which will be disconnected during next periodic post auth check.

By default post auth check performed every 5 minutes, this can be modified from Administration->Server Manager->Server Configuration->Service Parameters->Async Network Services->Polling Frequency (allowed values are 3-10 minutes).

 

rtaImage (8).png

 

However, if we want to reject user authentications based on session limit, we can use Insight DB as authorization source with custom SQL query to retrieve the active sessions count, then we can define enforcement policy rule to reject access if the user has already reached session limit.

 

For example:
We can use the below SQL query to check the session count and create a Insight DB as authorization source:

 

 

 

select count(*) as sessions from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') AND now());

 

rtaImage (9).png

 

We can modify the Enforcement policy and add a first rule to check the session count and deny access based on session count.

 

rtaImage (10).png

 

 

 

Comments

 

Does somebody can explain why we need to add the following query: "AND (updated_at BETWEEN (now() - interval '1 hour') AND now());"

 

Why not just: select count(*) as sessions from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null

 

chulcher

The extra bit in the WHERE statement is designed to ignore abandoned or "lost" sessions.

 

This portion of the query will pull information for any sessions that have not been updated in the Insight database as closed:

select count(*) as sessions 
from radius_acct
where (username = '%{Authentication:Username}') AND
end_time is null AND
termination_cause is null;

I believe the idea behind adding the check for "updated_at" is to allow the query to weed out any sessions that don't appear to have any activity because the record in Insight hasn't been updated or that the session stop didn't get received.

 

select count(*) as sessions 
from radius_acct
where (username = '%{Authentication:Username}') AND
end_time is null AND
termination_cause is null AND
(updated_at BETWEEN (now() - interval '1 hour') AND now()); 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.