Security

Reply
Contributor I
Posts: 24
Registered: ‎04-15-2013

Concurrent connections limit

[ Edited ]

Hello,

We just implemented a new Aruba wifi solution. Clearpass policy manager is used for radius for some SSID's and we have a specific SSID configured at a Clearpass policy manager service.

One of the networks we deploy is an Aruba 802.1x Wireless network, that just checks if the Active Directory user is member from a specfic (AD) group. This network is used for employees that are able to connect with their mobile device. Now i need a way to restrict access to only 1 concurrent connections/session for one group users and 2 concurrent connections/sessions to another group.

I did found some information about the rules I can use in the role mapping rules, but i can't find a way to limit the max concurrent connections. I'm not sure if this is the right way to configure this or that i need some service rules or other settings.

Any help is appriciated.

Regards,
Roland

MVP
Posts: 4,266
Registered: ‎07-20-2011

Re: Concurrent connections limit

You can define this under the user-role , maximum tcp sessions 0-65365
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: Concurrent connections limit


roland123 wrote:

Hello,

We just implemented a new Aruba wifi solution. Clearpass policy manager is used for radius for some SSID's and we have a specific SSID configured at a Clearpass policy manager service.

One of the networks we deploy is an Aruba 802.1x Wireless network, that just checks if the Active Directory user is member from a specfic (AD) group. This network is used for employees that are able to connect with their mobile device. Now i need a way to restrict access to only 1 concurrent connections/session for one group users and 2 concurrent connections/sessions to another group.

I did found some information about the rules I can use in the role mapping rules, but i can't find a way to limit the max concurrent connections. I'm not sure if this is the right way to configure this or that i need some service rules or other settings.

Any help is appriciated.

Regards,
Roland


Roland,

 

You can do this through ClearPass Policy Manager with a Post-Authentication Profile.  Please review the CPPM 6.0 user guide on how to set this up.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 24
Registered: ‎04-15-2013

Re: Concurrent connections limit

[ Edited ]

Hello cjoseph,

 

I created an enforcement profile "limit max 1 session" with the attributes:

 

Type                                                            Name                                                  Value

  1. Session-Check                                   Active-Session-Count                      = 1
  2. Post-Auth-Check                                 Action                                                  =  Disconnect

 

I added this profile to an enforcement policy rule action. The policy conditions is:

 

Type                           Name                                                   Operator                                        Value

  1. Tips                     Role                                                      EQUALS                                       My role name

And with this are 2 enforcement profiles:

[RADIUS] Profile_My-Profile
[Post Authentication] Limit max 1 session

 

 

In the radius profile there is a check for the Aruba-User-Role.

 

I also added the the Blacklist User Repository to the authentication sources at the Service that contains the above enforcement policy (as suggested in the user guide), but it doesn't seem to work, i did try to connect, disconnect and reconnect with 2 mobile devices and the AD user, but i can connect all the time when i enter the correct logon information.

 

Is there something i forget?

 

Kind regards,

Roland

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: Concurrent connections limit

Roland,

 

Do you have radius account enabled in the AAA profile of the WLAN controller?  You also need to enable interim accounting, as well.  In addition, in CPPM under server configuration, you need to have "Enable Insight on this Server" checked, as well as Log Accounting Interim-Update Packets set to True under Service Parameters> Radius Server > Accounting.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 24
Registered: ‎04-15-2013

Re: Concurrent connections limit

Helle cjoseph,

 

Radius interim accounting is enabled and there is a 802.1x Authentication server group specified to the Clearpass server. Is this enough on the controller side? Where do i need to have the radius account enabled in the AAA Profile, is this that i need to specify the clearpass server as accounting server, the same group i used for the 802.1x Authentication server group?

 

Enable Insight on this server is enabled, Log Accounting Interim-Update Packets is set to true.

 

Thanks,

Roland

 

 

 

 

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: Concurrent connections limit

Yes, you need to put the same server group for CPPM in the Radius Accounting Server group in the AAA profile. You should then be able to see radius accounting for authentication on the CPPM side.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 24
Registered: ‎04-15-2013

Re: Concurrent connections limit

Thank you for your patience with me :-)

 

Okay, now i see some data in the accounting monitoring. But i'm still able to just connect with my credentials from 2 devices at the same time. I'm expecting that the second connection is terminated, from the second device.

 

Do i still forget something?

Guru Elite
Posts: 20,978
Registered: ‎03-29-2007

Re: Concurrent connections limit

Okay.  In the AAA profile on the Aruba Controller, make sure you have an RFC 3576 profile that points to CPPM (enter the same preshared key), and on the CPPM side make sure that the Aruba Controller definition has COA enabled.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 24
Registered: ‎04-15-2013

Re: Concurrent connections limit

I have the RFC 3576 Auth. server configured with the clearpass server at the controller aaa profile. And "Enable RADIUS CoA" is enabled in the CCPM config (at both aruba controller devices), but i'm still able to connect with 2 seperate devices.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: