Security

Hello,

is it possible to use different enforcement policys over the same service?

I have a service role mapping with nas_id and I need two diffrent policys in this service.

In the service settings I just can add one fixed enforcement policy.

Do I need for all diffrent enforcement mappings one service?

 

Second thing, can someone explain me why there was always a re-auth?

Attached file.

 

Thank you

 

 

What conditions are different between the two groups of users/devices that you want to test for?

 

enforcement profile session limit should be diffrent. User A 5 sessions User B 20 sessions.

 

Thank you

You create two different radius Enforcement Profiles:  One that sends one session limit, and another one that sends a different session limit.  Then you create a radius enforcement policy that looks for a username and sends a specific limit and another line that looks for a different username and sends a different limit:

 

I try this with authentication username but the enforcement is not listed after login with the user.

I just solved it now with an new service for this username an add the policy there directly.

Thnak you very much for reply.

 

Regards,

 

Marco

You can simply make it in one service by,makeing Role tagging for the 2 diffrent users for example :

 

User X--Role-->10 Session

User Y--Role-->15 Session

 

after map the roles after that In enforcment policy add the Condition Rules:

 

Tips-->Role-->Equal-->10 Session----take action which is Enforment profile of 10 session

Tips-->Role-->Equal-->15 Session----take action which is Enforment profile of 15 session

 

Try this it will work

 

 

I try but doesn´t work:

 

Role for unlimited Logins:

(Radius:IETF:User-Name  EQUALS  booking) FOR THE OTHER ROLES I MAP ROLE_ID BUT WHERE IS THE ROLE ID FOR MY NEW ROLE?

[Booking]

 

Enforcement:

(Tips:Role  EQUALS  [Booking])

Mobile Session Limit - unlimited Active

Access Tracker:

Service:	Mobile
Authentication Method:	EAP-PEAP,EAP-MSCHAPv2
Authentication Source:	Local:localhost
Authorization Source:	[Guest User Repository]
Roles:	[Guest], [Mobile], [User Authenticated]   WHERE IS THE ROLE Booking?

Endpoint:Username	booking
Expire-Time-Update:GuestUser	0
Expiry-Check:Expiry-Action	0
Post-Auth-Check:Action	Disconnect
Post-Auth-Check:Action	Disconnect and Block Access
Radius:IETF:Session-Timeout	0
Session-Check:Active-Session-Count	5

Looks like your enforcement isnt configured to return a role.


Thanks,
Tim

This is my enforcement policie:

 

Name: Guest Access Policy MOBILE Description: Enforcement policy for standard mobile access features Enforcement Type: RADIUS Default Profile: [Deny Access Profile]

 

Rules Evaluation Algorithm:	First applicable
Conditions Actions 1. (Tips:Role  EQUALS  [Booking]) Mobile Session Limit - unlimited Active 2. (Tips:Role  EQUALS  [Mobile]) Mobile Session Limit - 5 Active 3. (Tips:Role  NOT_EQUALS  [Mobile]) [Deny Access Profile]

I think the problem is that my username booking not map to the role Booking, isn´t it?

Looks like the role mapping is working but you don't have any RADIUS enforcement profile either or the rules.


Thanks,
Tim