Security

Reply
MVP
Posts: 727
Registered: ‎03-25-2009

ClearPass - managing bandwidth quotas

I'm strugling a bit with enabling quotas for my guest users.

 

I need to enanble a daily limit of lets say 100MB for accounts that need to remain valid for a month. So basically a users that has used up 100MB should idealy be presented with a captive portal explaining he has used up his qouta.

 

For this I've configured a service with a Bandwidth Limit enforcement profile.

This diconnects the user and changes him back to the logon role but nothing is stopping the user from just logging back on again and continuing the downloads. After some time (related to the User Interim stats frequency on the controller?) he wil get kicked off again but he can just repeat this indefinitly.

 

Idealy I would also be able to configure mac authentication in there but that seems to mess up the disconnect completely. Using MAC auth, even with the same bandwidht limit enforcement profile, when authenticated using MAC-auth users do not get disconnected at all. Even after downloading over 5 times the allowed quota over twice the 5 mins I set as User Interim stats frequency.

If I then manualy disconnect the user I do see a reauthentication using MAC-auth so it does appear my RFC 3576 does appear to be configured correctly. Offcourse using the disconnect the user is reconnecting immediatly.

 

So, can anybody explain me..

1) how to actualy disable a user account / device untill the daily limit resets

2) why using MAC-auth this seems to fail completely?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba Employee
Posts: 6
Registered: ‎12-13-2013

Re: ClearPass - managing bandwidth quotas

There is no quick answer to this.

 

Without seeing your Services, both Guest Authentication and the MAC Cache, it is rather hard to give any advice.

 

Needless to say this can get rather complicated as it is not natively built into the system.

 

For example

1) To control subsequent connections from a device that has exceeded its limits it is likely best to set a new Endpoint:<attribute> which can be tested at each connection - use the "ClearPass Entity Update Enforcement" within Profiles

 

2) We need to understand how this account will be handled once it has exceeded - blocked, if so how long

 

3) On subsequent connections the #1 attribute should come into play

 

4) Following on from 2) how do you want to expire the account to allow subsequent connections?

 

5) Using CoA Disconnect with an AOS Open SSID causes a Disassociate - this can be very detrimental to user experience if they have another "available" SSID

Better to look at using CoA with FilterID (where this matches the AOS's User-Role) as this seamlessly changes the role. However, I believe this uses the "Lazy Poller" and could by default take up to 5 mins to kick in...

 

Regards Derin

 

 

MVP
Posts: 727
Registered: ‎03-25-2009

Re: ClearPass - managing bandwidth quotas

Well, there nothing special in either service.

 

I just need to allow daily access for up to 100MB. After that, the user should be blocked untill a new day starts.

All I have now is a bog default service where I push the bandwidth enforcement profile  for guestusers, cache the mac and then push the bandwidth profile again when that mac-auth. 

 

20 Ideally the account should remain "active" (not deleted) for a month but when they exceed the daily bandwidth limit. , it should be disabled untill the next day.

 

How do you see the attribute then? How can I reset it each and every day?

 

From what I understand I cdo not have a choice to do a CoA with filterID with the bandwidth limit enforcement profile. The only option I appear to have within that is disconnect.

 

We're talking about a satelite link so I'm sure we could live with the 5 minutes delay. They won't be able to download much in that time anyway. The main point is getting the bandwidth limit enforced and then reset every day without being too much of a hassle for the users.

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 727
Registered: ‎03-25-2009

Re: ClearPass - managing bandwidth quotas

Nobody that has a working bandwidth / quota control implementation and some advice? :smileysad:

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 179
Registered: ‎12-17-2008

Re: ClearPass - managing bandwidth quotas

Well I have confirmed the same issue, the download limit does not work, at least with a MAC auth'd service. My clients was able to go well past the download limit even though RADIUS accounting messages were being received and updated.

 

I have to disagree with anyone that says this is complex - this is old RADIUS functionality that has been around almost 20 years, it was very important back in the 56k dialup days!


--
ACMA ACMP
Frequent Contributor II
Posts: 117
Registered: ‎02-26-2010

Re: ClearPass - managing bandwidth quotas

hi,

i get it working but actually i've open a post about how to remove the blacklisted user.

 

so:

 

1- you will have

Authentication Sources - [Blacklist User Repository]
 
 
 

 

 

2- in the auth tab of web login page you will put blacklist user repository before guest user repository

 

3- you will have radius and mac-auth service in witch you will have enforcment profile.

 

---- how it will works ----

 

you've a 30days enforcment profile that say if bandwith or session limit exceeded "disconnect & block" (this will put the user in blacklist)

 

users cannot recconnect because you also put the blacklist repo in web page login

 

you will have a POST_Auth enforcment like this (my is a daily limit)

 

Session-Check          Allowed-Duration = 2

Session-Check          Duration-Units = Hours

Session-Check          Check-Type = Daily

Post-Auth-Check       Action = Disconnect and Block Access

Andrea Consadori
ACMP 5.0 and 6.3


-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 727
Registered: ‎03-25-2009

Re: ClearPass - managing bandwidth quotas

We got this fixed in the end as well.. took some time back and forth with support but we got there.

  

The solution went something like this:

Add the Blacklist user repository as an authorization source in your service. Then add inside this blacklist source an extra variable (sql query) to pull time info relative to time.

 

 

I will admit the procedure could use some coding attention to make it more straightforward but untill then just get TAC to help you reach your goals. They have sofar always managed to help me with my sometimes weird requests.

 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 187
Registered: ‎03-27-2013

Re: ClearPass - managing bandwidth quotas

Hello,
my name is Andrea, and i have the same issue... i don't know how to refresh the limit every day.
you have find a solution?

 

best regards

thanks in advance

 

Andrea

Ps. are you italian like me?

 

Andrea
Frequent Contributor II
Posts: 117
Registered: ‎02-26-2010

Re: ClearPass - managing bandwidth quotas

Hi,

yes i'm italian like you and i still have an open ticket with the support...

Andrea Consadori
ACMP 5.0 and 6.3


-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor II
Posts: 117
Registered: ‎02-26-2010

Re: ClearPass - managing bandwidth quotas

Hi,

now all is working as expected:

 

enforcment limit put the dailiy limit and if expired users will be put in the blacklist until more than 24hours.

 

i open a ticket to support and now i know that the blacklisted user is removed during the cleanup interval if blacklisted for more than 24 hours...

 

so if a user is blacklisted at 8.00 am today you expected that tomorrow at 9.00 will be removed but the cleanup interval runs on night so will ne removed tomorrow night.

Andrea Consadori
ACMP 5.0 and 6.3


-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: