Security

Reply
Occasional Contributor I
Posts: 6
Registered: ‎03-07-2016

CPPM 6.5 limiting sessions

Hi,

 

I want one username+password combination (account) to use any device they want. But as soon as they login to another device the other session should be disconnected.

 

I followed the guide on http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-deny-access-for-authentication-request-based-on-session/ta-p/183304 about checking on sessions using Insight.

 

I'm having trouble getting this to work and i wonder if with 6.5 there is better way?

 

I use captive portal with mac caching (created via wizard), so two services are created. I assume CoA is working probably because i can manually disconnect active sessions via the Guest manager and see accounting etc.

 

I removed the unique-devices rule that was generated from the wizard assuming this check is not what i need.

 

I added a first rule to the MAC Authentication Enforcement Policy to check for sessions.

 

Am i missing a step here? Do i need to send a radius coa disconnect for the old session?

 

CPPM 6.5.5.78974

IAP Version 6.4.3.4-4.2.1.2

 

 

 

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: CPPM 6.5 limiting sessions

The article you are referring to doesn't work in the way you require. The session limit functionality rejects authentication requests once the session limit has been reached. It doesn't kick out the originally authenticated session, it rejects new ones.

 

I am not aware of a way you can achieve what you want. I don't know of a way of disconnecting a different session to the one you are creating during authentication.

David
ACDX #98 | ACMP | ACCP
Occasional Contributor I
Posts: 6
Registered: ‎03-07-2016

Re: CPPM 6.5 limiting sessions

[ Edited ]

Thanks for the answer. I figured there are other ways to do it.

 

So just for testing i created a standard guest service and it generated a session limit enforcement policy. I put endpoint as authorization database. Session limit field is 1. However i can login to multiple devices.

 

Accounting works, i can manually disconnect with a Radius CoA message. I have i feeling i'm missiong something here. 

 

The enforcement policy is that being checked only when the service is hit?

Guru Elite
Posts: 19,991
Registered: ‎03-29-2007

Re: CPPM 6.5 limiting sessions

eric1,

 

Do you have radius interim accounting enabled on the controller?  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm?Highlight=interim

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor I
Posts: 6
Registered: ‎03-07-2016

Re: CPPM 6.5 limiting sessions

Hi,

 

Yes:

radius-accounting
radius-accounting-mode user-association
radius-interim-accounting-interval 5

 

I find the radius quite unstable. I mean sometimes a CoA disconnect works for days and then it doesn't work anymore. I know there is some time and delay element in this but is this normal?

Guru Elite
Posts: 19,991
Registered: ‎03-29-2007

Re: CPPM 6.5 limiting sessions

eric1,

 

I suggest you open a TAC case in parallel, so that they can look at your configuration and make sure everything is configured correctly and as espected.   We can continue to guess at what your issue is, but if you have something like a hardware or software issue, TAC can find it more quickly than we could.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Search Airheads
Showing results for 
Search instead for 
Did you mean: