Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM 6.5 limiting sessions

This thread has been viewed 2 times

  • 1.  CPPM 6.5 limiting sessions

    Posted Mar 07, 2016 08:53 AM

    Hi,

     

    I want one username+password combination (account) to use any device they want. But as soon as they login to another device the other session should be disconnected.

     

    I followed the guide on http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-deny-access-for-authentication-request-based-on-session/ta-p/183304 about checking on sessions using Insight.

     

    I'm having trouble getting this to work and i wonder if with 6.5 there is better way?

     

    I use captive portal with mac caching (created via wizard), so two services are created. I assume CoA is working probably because i can manually disconnect active sessions via the Guest manager and see accounting etc.

     

    I removed the unique-devices rule that was generated from the wizard assuming this check is not what i need.

     

    I added a first rule to the MAC Authentication Enforcement Policy to check for sessions.

     

    Am i missing a step here? Do i need to send a radius coa disconnect for the old session?

     

    CPPM 6.5.5.78974

    IAP Version 6.4.3.4-4.2.1.2

     

     

     



  • 2.  RE: CPPM 6.5 limiting sessions

    Posted Mar 15, 2016 10:25 AM

    The article you are referring to doesn't work in the way you require. The session limit functionality rejects authentication requests once the session limit has been reached. It doesn't kick out the originally authenticated session, it rejects new ones.

     

    I am not aware of a way you can achieve what you want. I don't know of a way of disconnecting a different session to the one you are creating during authentication.



  • 3.  RE: CPPM 6.5 limiting sessions

    Posted Mar 16, 2016 08:32 AM

    Thanks for the answer. I figured there are other ways to do it.

     

    So just for testing i created a standard guest service and it generated a session limit enforcement policy. I put endpoint as authorization database. Session limit field is 1. However i can login to multiple devices.

     

    Accounting works, i can manually disconnect with a Radius CoA message. I have i feeling i'm missiong something here. 

     

    The enforcement policy is that being checked only when the service is hit?



  • 4.  RE: CPPM 6.5 limiting sessions

    EMPLOYEE
    Posted Mar 16, 2016 09:24 AM

    eric1,

     

    Do you have radius interim accounting enabled on the controller?  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm?Highlight=interim



  • 5.  RE: CPPM 6.5 limiting sessions

    Posted Mar 16, 2016 11:03 AM

    Hi,

     

    Yes:

    radius-accounting
    radius-accounting-mode user-association
    radius-interim-accounting-interval 5

     

    I find the radius quite unstable. I mean sometimes a CoA disconnect works for days and then it doesn't work anymore. I know there is some time and delay element in this but is this normal?



  • 6.  RE: CPPM 6.5 limiting sessions

    EMPLOYEE
    Posted Mar 16, 2016 11:10 AM

    eric1,

     

    I suggest you open a TAC case in parallel, so that they can look at your configuration and make sure everything is configured correctly and as espected.   We can continue to guess at what your issue is, but if you have something like a hardware or software issue, TAC can find it more quickly than we could.