Controller Based WLANs

How to deny access for authentication request based on session limit.?

When we use post auth session limit enforcement profile to limit user authentications based on session limit, users will be allowed to authenticate. However post auth check executed periodically will perform the session limit checks and initiate disconnect (Radius CoA) for client devices which are more than the configured session limit.

 

In this case, the same disconnected client can connect back even after disconnect, which will be disconnected during next periodic post auth check.

By default post auth check performed every 5 minutes, this can be modified from Administration->Server Manager->Server Configuration->Service Parameters->Async Network Services->Polling Frequency (allowed values are 3-10 minutes).

 

rtaImage (8).png

 

However, if we want to reject user authentications based on session limit, we can use Insight DB as authorization source with custom SQL query to retrieve the active sessions count, then we can define enforcement policy rule to reject access if the user has already reached session limit.

 

For example:
We can use the below SQL query to check the session count and create a Insight DB as authorization source:

 

 

 

select count(*) as sessions from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') AND now());

 

rtaImage (9).png

 

We can modify the Enforcement policy and add a first rule to check the session count and deny access based on session count.

 

rtaImage (10).png

 

 

 

Version History
Revision #:
1 of 1
Last update:
‎07-09-2014 09:14 AM
Updated by:
 
Contributors
Comments

 

Does somebody can explain why we need to add the following query: "AND (updated_at BETWEEN (now() - interval '1 hour') AND now());"

 

Why not just: select count(*) as sessions from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null

 

chulcher

The extra bit in the WHERE statement is designed to ignore abandoned or "lost" sessions.

 

This portion of the query will pull information for any sessions that have not been updated in the Insight database as closed:

select count(*) as sessions 
from radius_acct
where (username = '%{Authentication:Username}') AND
end_time is null AND
termination_cause is null;

I believe the idea behind adding the check for "updated_at" is to allow the query to weed out any sessions that don't appear to have any activity because the record in Insight hasn't been updated or that the session stop didn't get received.

 

select count(*) as sessions 
from radius_acct
where (username = '%{Authentication:Username}') AND
end_time is null AND
termination_cause is null AND
(updated_at BETWEEN (now() - interval '1 hour') AND now()); 

 

anxo

Hello sirs,

I have a ClearPass 6.5 and I'm trying the limit session for the same username too, in the following screenshoot you can see check my configuration:

server1.png

 

roles.png

enforcemet.png

source_rule.png

I think all is correct, but when Clearpass proccess a request I got the following message:

2017-02-03 14:38:51,194[AuthReqThreadPool-13-0x7ff7c664e700 r=R00000033-01-589487eb h=74] ERROR ExtDB.DBQuery - Failed to get value for attributes=Sesiones-Activas]

or

alert.png

 

The query is correct and InsightsDB is working properly because I have checked them with PgAdmin:

pgadmin.png

 

Thank very much,

 

Regards,

chulcher

Don't use the InsightDB source, create a new authentication source of type "Generic SQL DB" and point it at the "tipsLogDb".

 

Use the query against that DB to create an attribute (and enable it as an attribute). I think your implementation is failing primarily because you haven't enabled the attribute as an attribute.

 

2017-02-03_085942.png

2017-02-03_090123.png

2017-02-03_090236.png

anxo

Hello Chulcher,

 

Thank very much for your fast reply.  Now, It works fine (I have modified a little bit your query, erasing "timestamp > now()-interval '12 minutes', because I want to apply this restriction always. But I don't undertand why my configuration doesn't work, in other posts (and in this one) people query InsightsDb and it works fine...

I have tried a lot of differents configuration, setting "sesiones-activas" as attribute or as rol or with nothing. But I always obtain the same error (ERROR ExtDB.DBQuery...).

On the other hand, I have tried to control simultaneus session for the same user from ClearPass Guest ("Session limit"), but it doesn't work either.

Cuentas Guest Manager.png

 

 

Regards and thanks in advanced.

 

anxo

Hello!

 

I have detected my mystake, When I declared the name of the attribute in sources, it was not the same name which was in the query.

source_rule.png

I have changed "sesiones_activas" by "sessions" and now the query to InsightDb works fine.

 

Then my only question is why "Sessions limit" doesn't work in "ClearPass Guest". Does Anyone has the same problem?

 

Regards,

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.