Security

Hi,

I use non-Aruba NAS with Clearpass and need to limit user access as in the filed "simultaneous_use" of my guest account

 

My condition is trying to check %{GuestUser:session_limit} instead of fixed number like 3, but it does not seem to work

 

When I check INPUT data in the "access tracker" it correctly shows in authorization attributes
Authorization:[Endpoints Repository]:Unique-Device-Count    4, and in computed attributes GuestUser:simultaneous_use    2

That is my enforcement policy which does not seem to properly validate rule #1, why?   It works fine when I enter fixed number instead of %{GuestUser:session_limit}

Hmm.. Unique device count is number of devices registered in the endpoints database connected to that guest user. It is not the number of active sessions for that user.

Also - you are using session_limit instead of simultanous_use.

That is what I want to achive compare number of devices registered with active sessions for that user so whatever is in simultanous_use for the particular guest in database is limititing that user.

I tried this and it also does not work:

 (Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN  %{GuestUser:simultanous_use})

How to do the proper rule?

Let me ask like that. Can I use %{GuestUser:simultaneous_use} as a value while making condition in a policy enforcemnt?