Security

Reply
mke
Occasional Contributor II

CPPM: Service policy question about rule

Hi,

I use non-Aruba NAS with Clearpass and need to limit user access as in the filed "simultaneous_use" of my guest account

 

My condition is trying to check %{GuestUser:session_limit} instead of fixed number like 3, but it does not seem to work

 

When I check INPUT data in the "access tracker" it correctly shows in authorization attributes
Authorization:[Endpoints Repository]:Unique-Device-Count    4, and in computed attributes GuestUser:simultaneous_use    2

That is my enforcement policy which does not seem to properly validate rule #1, why?   It works fine when I enter fixed number instead of %{GuestUser:session_limit}

Screen Shot 2017-02-16 at 10.47.07 AM.png

 

MVP

Re: CPPM: Service policy question about rule

Hmm.. Unique device count is number of devices registered in the endpoints database connected to that guest user. It is not the number of active sessions for that user.

 

Also - you are using session_limit instead of simultanous_use.


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
mke
Occasional Contributor II

Re: CPPM: Service policy question about rule

That is what I want to achive compare number of devices registered with active sessions for that user so whatever is in simultanous_use for the particular guest in database is limititing that user.

 

I tried this and it also does not work:

 (Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN  %{GuestUser:simultanous_use})

How to do the proper rule?

mke
Occasional Contributor II

Re: CPPM: Service policy question about rule

Let me ask like that. Can I use %{GuestUser:simultaneous_use} as a value while making condition in a policy enforcemnt?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: