Security

Reply
Frequent Contributor I

CPPM: The value of simultaneous_use is ignored

Hi

 

i noticed a strange behaviour of my guest manager within clearpass (6.2.5.29630 CP-VA-5K).

As default all guestaccounts have got a session limit which is one session per user.

 

Now I have to create a guest account for our training department which can be used by 10 or more devices.

So I created an account and set the simultaneous_use value to 25.

 

I log in my first device....everything is ok.

I want to log in second device and get the message "Only one user login session is allowed"

I checked value in simultaneous_use and it is still set to 25.

 

So i checked the CPPM Access tracker.

I don't know why but the log tells me that access is granted.

So I checked the Radius Input of computed attributes.

GuestUser:simultaneous_use 25.

 

For me the guest manager has got the right value but I still get "Only one user...."

 

Can anybody help? Is it a known bug?

 

Thanks in advance

MVP

Re: CPPM: The value of simultaneous_use is ignored

I have had this exact issue and worked out a resolution.

The following filters have been added to the Insight Repository:

 

select CASE WHEN count(distinct calling_station_id) >= '%{GuestUser:simultaneous_use}' THEN 'True' ELSE 'False' END from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') and now());

The above was given an alias name of above_allowed_sessions and data type String.

 

select count(*) as active_session from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}');

The above was given an alias name of active_session and data type Integer.

 

The top filter checks for the amount of authenticated sessions against a username and compares this to the simultaneous_use field. You get True if it is greater and False if not.

The second filter checks for an active session. This is to stop 802.1x re-authentication being classed as a new session. If 1 is returned the session exists.

 

I then wrote an enforcement policy that said if above_allowed_session equals true AND active_session equals 0 then apply the Deny Access profile.

This seemed to fix the issue for me.

 

David
ACDX #98 | ACMP | ACCP
Frequent Contributor I

Re: CPPM: The value of simultaneous_use is ignored

Thanks for the support. Il try to solve it like this.But this might be a complex way. Is that the general idea of the simultaneous use field?

Does anybody has another idea or solution.

 

MVP

Re: CPPM: The value of simultaneous_use is ignored

Hello!

Do you get this at a weblogin page or at a self-registration login page on Guest?

 

Which value have you set in Session Limit on Guest Manager?

 

Can you verify that the Enforcement profile named something like "... session limit" used in the login service has the value %{GuestUser:simultaneous_use}, and not hardcoded to 1?

 


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I

Re: CPPM: The value of simultaneous_use is ignored


jsolb wrote:

Hello!

Do you get this at a weblogin page or at a self-registration login page on Guest?

On self Reg login Page

 

Which value have you set in Session Limit on Guest Manager?

In default it is set to 1. For a special guestaccount i've changed it to 25 (i tested it with 2,3,4...)

 

Can you verify that the Enforcement profile named something like "... session limit" used in the login service has the value %{GuestUser:simultaneous_use}, and not hardcoded to 1?

I checked that already. In access tracker i can finde the correct value as i set it in guest manager.

 


 

MVP

Re: CPPM: The value of simultaneous_use is ignored

The computed attributes you find under Input in Access Tracker just informs you of the values, not what kind of enforcement handling you do with those values.

 

Do you have mac caching? There is often a check there that is hardcoded for amount of devices registered to a give account. See screenshot.

 

14.03-4.png

 

Try to log in through a web-login page, and see if there is a difference to how the logic is there.

 

Perhaps if you could post some error screen, service summary and Access tracker screenshots that could help us out.

 

Oh - and try to change the value in the Guest Manager - and see if that changes anything.. If so it might just be a local javascript check that checks towards that instead of the value connected to the user itself.


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I

Re: CPPM: The value of simultaneous_use is ignored

Of course mac caching is active. That was my first idea. So i deactivated the rule. But no change.

It looks like the deny is caused by guest manager itself.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: