Security

Reply
Contributor II
Posts: 44
Registered: ‎04-06-2011

CPPM Concurrent Session Limits

[ Edited ]

In Clearpass 6.x, is there a way to enforce concurrent session limits using MAC Caching with an AccessCode type ID?  We don't want to limit the number of MAC Accounts ( devices ) that can be created for a particular AccessCode -- we want to limit how many devices can be connected at any one time.  The session limit would include people connected  with the AccessCode as well as people who are connected via MAC Caching.   Lastly, the session limit isn't a fixed number -- each AccessCode could have any number of "max associations" assigned to it and is defined when our operators generate the AccessCode via the Guest module.

For example:

AccessCode10 created with session limit of 85
users logged in via accesscode10 + users logged in via MAC caching from accesscode10 <= 85.
Number of actual MAC Caching accounts could be > 85.

AccessCode15 created with session limit of 239
users logged in via accesscode15 + users logged in via MAC caching from accesscode15 <= 239.
Number of actual MAC Caching accounts could be > 239.


Thanks,
Bryan
 

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: CPPM Concurrent Session Limits

[ Edited ]

In the guest manager they do give you the option to select max concurrent sessions but that is a universal number. 

 

Im sure there are multiple ways of setting this up but one that I can think of off the top of my head is by creating a service for just token users and if you use the service template (Guest MAC Authentication) Should create most of the settings you will need and then add a max session based on a specific username or role.

 

guestmaxsession1.png

 

guestmaxsession2.png

 

guestmaxsession3.png

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 44
Registered: ‎04-06-2011

Re: CPPM Concurrent Session Limits

Hello,

 

In the example, it looks like the Enforcement Policy Rule has the session limit hardcoded.  The session limit needs to be variable and is different for each AccessCode created by the operators.  When they create AccessCodes, they set the session_limit in the create_account form.

 

Often clients request that we increase or decrease the session limit of their AccessCode and the operator would edit the guest account ( accesscode ) session_limit accordingly via the guest interface. 

 

Thanks,

Bryan

 

Guru Elite
Posts: 7,854
Registered: ‎09-08-2010

Re: CPPM Concurrent Session Limits

Try this:

 

guest-unqiue-session.PNG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor II
Posts: 44
Registered: ‎04-06-2011

Re: CPPM Concurrent Session Limits

Thanks for the information.  One question -- what does the "Endpoints Repository - Unique-Device-Count" reference?

Is it the total number of client MAC addresses (devices) that have ever signed in with a specific guest account?  Or, is it number of clients currently signed in (concurrent connections) with a specific guest account?

 

For a given guest account (accesscode), we're looking to limit the number of concurrent connections, preferably not the number of total devices.


Thanks,
Bryan


Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: CPPM Concurrent Session Limits

[ Edited ]

Unique device count = username to MAC
Session count = MAC to Username

So if I want to limit the number of devices an employee can have active with the username tarnold I would use session count.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 44
Registered: ‎04-06-2011

Re: CPPM Concurrent Session Limits

Thanks for the clarification.  Would the session count include the employees combined active sessions using "tarnold" as well as any active sessions using cached MAC accounts for the username "tarnold" ?


Some background as to my lack of understanding of this.  Right now we are an Amigopod 3.9 shop and because we can't fully enforce this type of session limit ( combined username & cached MAC account ), we lose significant revenue as more MAC accounts are created for a username -- and go unenforced.


For more than a year we have been holding off upgrading to CPPM 5.x/6.x, per our SE, until CPPM would support a solution for our setup.  We're trying to see if there's a workaround or something else we can do to get this to work.  I have two CPPM 6.2 VMs setup in a cluster that I have been doing some testing with but the differences between Amigopod 3.9 and CPPM make it somewhat challenging.

Thanks,

Bryan

 

Aruba
Posts: 1,526
Registered: ‎06-12-2012

Re: CPPM Concurrent Session Limits

The way CPPM determines the session count is by utilizing the insight database. Both information for guests and standard users are listed in Insight.

 

You can create a rule to look at both that is where the flexibility of cleapass comes in. :) Depending on what you want to look at and put restrictions on you might have to create a custom SQL query, but I believe every you need will be setup in the defaults. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: