Controllerless Networks

Reply
Occasional Contributor II
Posts: 19
Registered: ‎08-01-2013

Aruba Instant + RADIUS: Set maximum devices per username

 

I have an Instant AP 135 running 3.3, and I would like to limit the number of devices per username that can authenticate to the network.

 

The SSID I have created uses WPA2 Enterprise authentication and the user database is located on an external Radius Server (Radiator).

 

Is it possible to limit the number of devices per user that can be connected to the network? Is that a configured from the Aruba Instant or from the RADIUS server?

 

Occasional Contributor II
Posts: 12
Registered: ‎03-17-2013

Re: Aruba Instant + RADIUS: Set maximum devices per username

Hello. This functionality supports clearpass.

You can try to find how to do it on your external Radius Server .

 

Spoiler
6.16.3 MaxSessions

This parameter allows you to apply a simple limit to the number of simultaneous sessions a user in this Realm is permitted to have. It is most common to limit users to either one session at a time or unlimited, but Radiator also supports other numbers.

MaxSessions works by looking at each accounting request for a realm when it arrives. whenever a Start is seen for a user, the count of their number if current sessions is incremented, and whenever a Stop is seen, it is decremented. When an access request is received, the number of sessions current for that user is compared to MaxSessions. If the user already has MaxSessions sessions or more, Radiator replies with an access denial. By setting MaxSessions to 0, you can temporarily deny access to all users in the realm.

MaxSessions applies a hard limit that can't be overridden by DefaultSimultaneousUse parameter (see Section 6.17.15 ), or by per-user Simultaneous-Use check items. For many applications, you may wish to consider using DefaultSimultaneousUse instead of MaxSessions. You can control the maximum number of sessions on a per-user basis with the Simultaneous-Use check item (see Section 13.1.14 ).

The session count for each user is stored entirely within Radiator (unless you specify a SessionDatabase clause). This means that if you restart or reinitialise Radiator, it will lose count of the number of current sessions for each user. Radiator can use SNMP to confirm whether a user is already logged in or not (see Section 6.5.5 ).

You should note that if Radiator fails to receive an accounting Stop request, it might result in incorrectly thinking the user is not permitted to log in when in fact they are. You can correct this by restarting Radiator, or by sending an artificial accounting stop for the user using the radpwtst utility (see Section 8.0 ) or by configuring Radiator to query the NAS directly (see Section 6.5.5 ).

 
# Limit all users in this realm to max of 1 session
MaxSessions 1

 

 

Occasional Contributor II
Posts: 19
Registered: ‎08-01-2013

Re: Aruba Instant + RADIUS: Set maximum devices per username

Is ClearPass a requirement for this feature? Is this posible using a generic RADIUS server?

Occasional Contributor II
Posts: 12
Registered: ‎03-17-2013

Re: Aruba Instant + RADIUS: Set maximum devices per username

Use your radius server

 

6.16.3 MaxSessions
This parameter allows you to apply a simple limit to the number of simultaneous sessions a user in this Realm is permitted to have. It is most common to limit users to either one session at a time or unlimited, but Radiator also supports other numbers.
MaxSessions works by looking at each accounting request for a realm when it arrives. whenever a Start is seen for a user, the count of their number if current sessions is incremented, and whenever a Stop is seen, it is decremented. When an access request is received, the number of sessions current for that user is compared to MaxSessions. If the user already has MaxSessions sessions or more, Radiator replies with an access denial. By setting MaxSessions to 0, you can temporarily deny access to all users in the realm.
MaxSessions applies a hard limit that can't be overridden by DefaultSimultaneousUse parameter (see Section 6.17.15 ), or by per-user Simultaneous-Use check items. For many applications, you may wish to consider using DefaultSimultaneousUse instead of MaxSessions. You can control the maximum number of sessions on a per-user basis with the Simultaneous-Use check item (see Section 13.1.14 ).
The session count for each user is stored entirely within Radiator (unless you specify a SessionDatabase clause). This means that if you restart or reinitialise Radiator, it will lose count of the number of current sessions for each user. Radiator can use SNMP to confirm whether a user is already logged in or not (see Section 6.5.5 ).
You should note that if Radiator fails to receive an accounting Stop request, it might result in incorrectly thinking the user is not permitted to log in when in fact they are. You can correct this by restarting Radiator, or by sending an artificial accounting stop for the user using the radpwtst utility (see Section 8.0 ) or by configuring Radiator to query the NAS directly (see Section 6.5.5 ).
 
# Limit all users in this realm to max of 1 session
MaxSessions 1
 

 

Occasional Contributor II
Posts: 19
Registered: ‎08-01-2013

Re: Aruba Instant + RADIUS: Set maximum devices per username

Can you recommend me one Radius Server? I've tried with Radiator so far.

MVP
Posts: 1,435
Registered: ‎10-25-2011

Re: Aruba Instant + RADIUS: Set maximum devices per username

freeradius is one you can use
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: