Security

Reply
Contributor I
Posts: 27
Registered: ‎10-31-2014

Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Hello,

is it possible to use different enforcement policys over the same service?

I have a service role mapping with nas_id and I need two diffrent policys in this service.

In the service settings I just can add one fixed enforcement policy.

Do I need for all diffrent enforcement mappings one service?

 

Second thing, can someone explain me why there was always a re-auth?

Attached file.

 

Thank you

 

 

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

What conditions are different between the two groups of users/devices that you want to test for?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 27
Registered: ‎10-31-2014

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

enforcement profile session limit should be diffrent. User A 5 sessions User B 20 sessions.

 

Thank you

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

You create two different radius Enforcement Profiles:  One that sends one session limit, and another one that sends a different session limit.  Then you create a radius enforcement policy that looks for a username and sends a specific limit and another line that looks for a different username and sends a different limit:

 

sessiona.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 27
Registered: ‎10-31-2014

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

I try this with authentication username but the enforcement is not listed after login with the user.

I just solved it now with an new service for this username an add the policy there directly.

Thnak you very much for reply.

 

Regards,

 

Marco

Contributor II
Posts: 48
Registered: ‎03-16-2014

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

You can simply make it in one service by,makeing Role tagging for the 2 diffrent users for example :

 

User X--Role-->10 Session

User Y--Role-->15 Session

 

after map the roles after that In enforcment policy add the Condition Rules:

 

Tips-->Role-->Equal-->10 Session----take action which is Enforment profile of 10 session

Tips-->Role-->Equal-->15 Session----take action which is Enforment profile of 15 session

 

Try this it will work

 

 

Islam Zidan │ Professional Services Engineer | ACCP,ACMP,CWDP,CWNA,CCNP,MCITP,Competia A+
If you Found My Post Helping you kindly Give KUDOS and if it solved your question Kindly hit Accept as a solution box.
Contributor I
Posts: 27
Registered: ‎10-31-2014

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

[ Edited ]

I try but doesn´t work:

 

Role for unlimited Logins:

(Radius:IETF:User-Name  EQUALS  booking)

FOR THE OTHER ROLES I MAP ROLE_ID BUT WHERE IS THE ROLE ID FOR MY NEW ROLE?

[Booking]

 

Enforcement:

(Tips:Role  EQUALS  [Booking])Mobile Session Limit - unlimited Active

Access Tracker:

Service:
Mobile
Authentication Method:
EAP-PEAP,EAP-MSCHAPv2
Authentication Source:
Local:localhost
Authorization Source:
[Guest User Repository]
Roles:
[Guest], [Mobile], [User Authenticated]
 
WHERE IS THE ROLE Booking?
Endpoint:Usernamebooking
Expire-Time-Update:GuestUser0
Expiry-Check:Expiry-Action0
Post-Auth-Check:ActionDisconnect
Post-Auth-Check:ActionDisconnect and Block Access
Radius:IETF:Session-Timeout0
Session-Check:Active-Session-Count5
Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Looks like your enforcement isnt configured to return a role.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 27
Registered: ‎10-31-2014

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

[ Edited ]

This is my enforcement policie:

 

 
Name:
Guest Access Policy MOBILE
Description:
Enforcement policy for standard mobile access features
Enforcement Type:
RADIUS
Default Profile:
[Deny Access Profile]

 

Rules Evaluation Algorithm:
First applicable
 ConditionsActions
1.(Tips:Role  EQUALS  [Booking])Mobile Session Limit - unlimited Active
2.(Tips:Role  EQUALS  [Mobile])Mobile Session Limit - 5 Active
3.(Tips:Role  NOT_EQUALS  [Mobile])[Deny Access Profile]

I think the problem is that my username booking not map to the role Booking, isn´t it?

Guru Elite
Posts: 8,191
Registered: ‎09-08-2010

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Looks like the role mapping is working but you don't have any RADIUS enforcement profile either or the rules.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: