Security

Reply
Frequent Contributor I

CPPM : check simultaneous the number of device for a access account

Hi,

 

There a different little company in same place, I have one CPPM, one controler wifi aruba and one AD for all.

 

Actually, PEAP-MSCHAP is use for authenticate company (group of person) (same account for several person, i know it's not secure but it's special request of my customer)

my customer ask me, if with CPPPM, it is possibel to check the number of device for one access account.

example : 

person1, person2, person3 etc ... use the same credential : company1/pwd for access to the wifi network with each of their devices.

He want to limit the number of device exemple 5 device/day  for company1, this information of maximum will get in a fiel of AD (exemple : description)

I think we must to use the endpoind base and a condition for the enforcement mapping policy, but i'm know sure, Do you have any ideas to help me ?

 

Regards

 

Yann 

Guru Elite

Re: CPPM : check simultaneous the number of device for a access account

You'll need to enable RADIUS accounting on your controller and also be sure that Insight is running.

 

Make sure the endpoints repository and insight are listed as an authorization source.

 

You can then use the following in your enforcment to check:

 

Authorization:[Endpoints Repository]:Unique-Device-Count     GREATER_THAN   X


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: CPPM : check simultaneous the number of device for a access account

Hi Cappalli,

 

I tried to do this but it's doesn't work, in the "acces traker" the value "Unique-Device-Count", never increments.What is the definition of "Unique-Device-Count" ?

I find a post this post : http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Concurrent-connections-limit/td-p/72154
I will try this, I think that better meets my need.

 

regards

 

Yann

New Contributor

Re: CPPM : check simultaneous the number of device for a access account

Me too, now I have no solution for this case :(

Aruba Employee

Re: CPPM : check simultaneous the number of device for a access account

You need to update the authentication username to the endpoint/MAC-address after the successful authentication for the "Unique-Device-Count" to work/increment.

 

The below sample enforcement will help you with the endpoint username update.

username_update.jpg

 

If your requirement is to restrict concurrent sessions, then I would recommend you to follow the below article.

 

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-deny-access-for-authentication-request-based-on-session/ta-p/183304

 

Use the below query, instead of the one in the article. You can also change the interval in the query as required.

 

select count(distinct calling_station_id) as active_sessions from radius_acct where end_time is null and username = '%{Authentication:Username}' and calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}' and updated_at > now() - interval '1 hour';

 

Notes: 

  • Radius accounting should be enabled on Controller >> ClearPass.
  • Insight should be enabled on ClearPass and mapped as authorization source in the service.

Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: