How to deny access for authentication request based on session limit.?

Aruba Employee
Aruba Employee

When we use post auth session limit enforcement profile to limit user authentications based on session limit, users will be allowed to authenticate. However post auth check executed periodically will perform the session limit checks and initiate disconnect (Radius CoA) for client devices which are more than the configured session limit.


In this case, the same disconnected client can connect back even after disconnect, which will be disconnected during next periodic post auth check.

By default post auth check performed every 5 minutes, this can be modified from Administration->Server Manager->Server Configuration->Service Parameters->Async Network Services->Polling Frequency (allowed values are 3-10 minutes).


rtaImage (8).png


However, if we want to reject user authentications based on session limit, we can use Insight DB as authorization source with custom SQL query to retrieve the active sessions count, then we can define enforcement policy rule to reject access if the user has already reached session limit.


For example:
We can use the below SQL query to check the session count and create a Insight DB as authorization source:




select count(*) as sessions from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') AND now());


rtaImage (9).png


We can modify the Enforcement policy and add a first rule to check the session count and deny access based on session count.


rtaImage (10).png




Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 09:14 AM
Updated by:


Does somebody can explain why we need to add the following query: "AND (updated_at BETWEEN (now() - interval '1 hour') AND now());"


Why not just: select count(*) as sessions from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null



The extra bit in the WHERE statement is designed to ignore abandoned or "lost" sessions.


This portion of the query will pull information for any sessions that have not been updated in the Insight database as closed:

select count(*) as sessions 
from radius_acct
where (username = '%{Authentication:Username}') AND
end_time is null AND
termination_cause is null;

I believe the idea behind adding the check for "updated_at" is to allow the query to weed out any sessions that don't appear to have any activity because the record in Insight hasn't been updated or that the session stop didn't get received.


select count(*) as sessions 
from radius_acct
where (username = '%{Authentication:Username}') AND
end_time is null AND
termination_cause is null AND
(updated_at BETWEEN (now() - interval '1 hour') AND now()); 



Hello sirs,

I have a ClearPass 6.5 and I'm trying the limit session for the same username too, in the following screenshoot you can see check my configuration:






I think all is correct, but when Clearpass proccess a request I got the following message:

2017-02-03 14:38:51,194[AuthReqThreadPool-13-0x7ff7c664e700 r=R00000033-01-589487eb h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Sesiones-Activas]




The query is correct and InsightsDB is working properly because I have checked them with PgAdmin:



Thank very much,




Don't use the InsightDB source, create a new authentication source of type "Generic SQL DB" and point it at the "tipsLogDb".


Use the query against that DB to create an attribute (and enable it as an attribute). I think your implementation is failing primarily because you haven't enabled the attribute as an attribute.






Hello Chulcher,


Thank very much for your fast reply.  Now, It works fine (I have modified a little bit your query, erasing "timestamp > now()-interval '12 minutes', because I want to apply this restriction always. But I don't undertand why my configuration doesn't work, in other posts (and in this one) people query InsightsDb and it works fine...

I have tried a lot of differents configuration, setting "sesiones-activas" as attribute or as rol or with nothing. But I always obtain the same error (ERROR ExtDB.DBQuery...).

On the other hand, I have tried to control simultaneus session for the same user from ClearPass Guest ("Session limit"), but it doesn't work either.

Cuentas Guest Manager.png



Regards and thanks in advanced.





I have detected my mystake, When I declared the name of the attribute in sources, it was not the same name which was in the query.


I have changed "sesiones_activas" by "sessions" and now the query to InsightDb works fine.


Then my only question is why "Sessions limit" doesn't work in "ClearPass Guest". Does Anyone has the same problem?




This was really useful for me thanks. I did have to tweak things slightly to get it to work properly with my eduroam service - instead of

Authentication:Username in the SQL query, I used Authentication:Full-Username.

This is because we take the username+realm as input, and strip everything after the @ to authenticate, so all our sessions were showing as 0 because the usernames were not correct.

Working perfectly now.

Search Airheads
Showing results for 
Search instead for 
Did you mean: