Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM: The value of simultaneous_use is ignored

This thread has been viewed 5 times

  • 1.  CPPM: The value of simultaneous_use is ignored

    Posted Mar 12, 2014 09:15 AM

    Hi

     

    i noticed a strange behaviour of my guest manager within clearpass (6.2.5.29630 CP-VA-5K).

    As default all guestaccounts have got a session limit which is one session per user.

     

    Now I have to create a guest account for our training department which can be used by 10 or more devices.

    So I created an account and set the simultaneous_use value to 25.

     

    I log in my first device....everything is ok.

    I want to log in second device and get the message "Only one user login session is allowed"

    I checked value in simultaneous_use and it is still set to 25.

     

    So i checked the CPPM Access tracker.

    I don't know why but the log tells me that access is granted.

    So I checked the Radius Input of computed attributes.

    GuestUser:simultaneous_use 25.

     

    For me the guest manager has got the right value but I still get "Only one user...."

     

    Can anybody help? Is it a known bug?

     

    Thanks in advance



  • 2.  RE: CPPM: The value of simultaneous_use is ignored

    Posted Mar 12, 2014 10:45 AM

    I have had this exact issue and worked out a resolution.

    The following filters have been added to the Insight Repository:

     

    select CASE WHEN count(distinct calling_station_id) >= '%{GuestUser:simultaneous_use}' THEN 'True' ELSE 'False' END from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') and now());

    The above was given an alias name of above_allowed_sessions and data type String.

     

    select count(*) as active_session from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}');

    The above was given an alias name of active_session and data type Integer.

     

    The top filter checks for the amount of authenticated sessions against a username and compares this to the simultaneous_use field. You get True if it is greater and False if not.

    The second filter checks for an active session. This is to stop 802.1x re-authentication being classed as a new session. If 1 is returned the session exists.

     

    I then wrote an enforcement policy that said if above_allowed_session equals true AND active_session equals 0 then apply the Deny Access profile.

    This seemed to fix the issue for me.

     



  • 3.  RE: CPPM: The value of simultaneous_use is ignored

    Posted Mar 13, 2014 01:42 AM

    Thanks for the support. Il try to solve it like this.But this might be a complex way. Is that the general idea of the simultaneous use field?

    Does anybody has another idea or solution.

     



  • 4.  RE: CPPM: The value of simultaneous_use is ignored

    Posted Mar 13, 2014 05:10 AM

    Hello!

    Do you get this at a weblogin page or at a self-registration login page on Guest?

     

    Which value have you set in Session Limit on Guest Manager?

     

    Can you verify that the Enforcement profile named something like "... session limit" used in the login service has the value %{GuestUser:simultaneous_use}, and not hardcoded to 1?

     



  • 5.  RE: CPPM: The value of simultaneous_use is ignored

    Posted Mar 14, 2014 06:59 AM
    @jsolb wrote:

    Hello!

    Do you get this at a weblogin page or at a self-registration login page on Guest?

    On self Reg login Page

     

    Which value have you set in Session Limit on Guest Manager?

    In default it is set to 1. For a special guestaccount i've changed it to 25 (i tested it with 2,3,4...)

     

    Can you verify that the Enforcement profile named something like "... session limit" used in the login service has the value %{GuestUser:simultaneous_use}, and not hardcoded to 1?

    I checked that already. In access tracker i can finde the correct value as i set it in guest manager.

     

     



  • 6.  RE: CPPM: The value of simultaneous_use is ignored

    Posted Mar 14, 2014 07:37 AM

    The computed attributes you find under Input in Access Tracker just informs you of the values, not what kind of enforcement handling you do with those values.

     

    Do you have mac caching? There is often a check there that is hardcoded for amount of devices registered to a give account. See screenshot.

     

    14.03-4.png

     

    Try to log in through a web-login page, and see if there is a difference to how the logic is there.

     

    Perhaps if you could post some error screen, service summary and Access tracker screenshots that could help us out.

     

    Oh - and try to change the value in the Guest Manager - and see if that changes anything.. If so it might just be a local javascript check that checks towards that instead of the value connected to the user itself.



  • 7.  RE: CPPM: The value of simultaneous_use is ignored

    Posted Mar 14, 2014 08:56 AM

    Of course mac caching is active. That was my first idea. So i deactivated the rule. But no change.

    It looks like the deny is caused by guest manager itself.