Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest Manager - Session Limit

This thread has been viewed 10 times

  • 1.  Guest Manager - Session Limit

    Posted Feb 04, 2014 10:31 AM

    I'm attempting to setup Guest Manager which I've managed to an extent. Users can create accounts etc and logon to the network. However, we have a requirement to allow users who create accounts to set the Session Limit to anything up to 20. I'm aware I can restrict them to using anything greater than 20 using validation but I've been unable to actually get the session limit to work. If I create an account then I can login it seems as many times as I want with that account.

     

    Can anyone point me in the right direction on how to set it up so we can do this?

     

    Thanks in advance :)



  • 2.  RE: Guest Manager - Session Limit

    EMPLOYEE
    Posted Feb 04, 2014 10:35 AM

    Do you have a RADIUS accounting server-group defined in your AAA profile on the controller? Also check the root AAA profile for RADIUS interim accounting.

     

     

    radius-accounting-aaa.png



  • 3.  RE: Guest Manager - Session Limit

    Posted Feb 04, 2014 10:58 AM

    Would this be on Clearpass or Aerohive? 

     

    Radius is up and running as it uses a captive web portal to login and authenticate back to the AP'S.

     

    I'm unsure where i'd find these setting...? Also apologise i realise that i forgot to mention the aerohive bits.

     

    Thanks

     

    Oli



  • 4.  RE: Guest Manager - Session Limit

    Posted Feb 04, 2014 04:05 PM

    The screenshot cappalli has posted is from an Aruba controller... he is asking you to enable RADIUS interim accounting. This feature should be available on Aerohive as well.

     

    For accounting information to be stored inClearPass Policy Manager you need to have Insight to enabled (under server configuration).

     

    Also, the ClearPass Policy Manager 6.x default behavior is to disconnect the latest device using RADIUS CoA (RFC 3576) after the session limit has been reached. If you have the guest template in Policy Manager you should have a Post_Authentication profile with a Session-Check and Post-Auth-Check.

     

    In order for this to work you will need to have CoA (RFC3576) enabled on the Aerohive solution. You also need to make sure ClearPass can communicate with the AP's in order for it to send RADIUS CoA requests (UDP port 3799).

     

    You can also use the Insight database (accounting) to enforce the session limit, this however needs a custom SQL query to get the number sessions for a certain guest account. I can share this SQL query if needed. With this method you do need CoA in place on the Aerohive config.



  • 5.  RE: Guest Manager - Session Limit

    Posted Feb 04, 2014 04:41 PM
    Ok great! I got CoA working today so were able to change status of connections through clearpass etc so that's definitely setup.

    Where would I implement this this change? On one of the user forms in guest manager or in policy manager enforcement rules? Im fairly new to the product so apologise about the questions.

    thanks

    DISCLAIMER
    This message is intended only for the use of the person(s) ("Intended Recipient") to whom it is addressed. It may contain information, which is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible.
    Reed Business Information Limited. Registered Office: Quadrant House, The Quadrant, Sutton, Surrey, SM2 5AS, UK.
    Registered in England under Company No. 151537


  • 6.  RE: Guest Manager - Session Limit

    Posted Feb 04, 2014 04:51 PM
      |   view attached

    In Policy Manager: in the enforcement policy connected to the service used for guest authentication you should have a policy where an enforcement policy is applied for the guest session limit.

     

    See attached screenshot.

     

    If you do not have this you should use the service template for guest authentication.



  • 7.  RE: Guest Manager - Session Limit

    Posted Feb 05, 2014 04:14 AM

    Thanks for this. I can see the section in here ( see attached ).

     

    I'm unsure of what exactly to put in though? So when a user puts in a number on the session limit form on the captive web portal, how can i then link that back so they can never go over that limit? Will your SQL statement work for this?

     

    Thanks

     

    Oli



  • 8.  RE: Guest Manager - Session Limit

    Posted Feb 05, 2014 05:15 AM

    Do you also have a service for "Guest Access" (not "Guest Access pre-auth")? The non-pre-auth service should have a enforcement policy with the mentioned enforcement profile in place.

     

    The pre-auth service is used for direct communication between ClearPass Policy Manager and ClearPass Guest. The other guest service is used for RADIUS authentication between the Aerohive AP and ClearPass Policy Manager.

     

    It's not mandatory to have a pre-auth service in place, this is only need when pre-auth checks are enabled in ClearPass Guest (either on the login form or self registration). The purpose of pre-auth is to have validation enabled within ClearPass Guest so the user will see an error on the ClearPass Guest page when they have enterred incorrect credentials.



  • 9.  RE: Guest Manager - Session Limit

    Posted Feb 05, 2014 05:44 AM

    There is a service for pre-auth only it seems by the looks of it! Would this be where i put the entry to check for the session limit?

     

    Or should i create a new service to cater for this? I would assume that it would be part of the pre-auth check as we'd want it to check before they connect if they've gone over the limit?

     

    Thanks

     

    Oli



  • 10.  RE: Guest Manager - Session Limit
    Best Answer

    Posted Feb 05, 2014 05:57 AM

    Oh, you only have a pre-auth service? :) In that case the login from the Aerohive AP to ClearPass Policy Manager should not really work. But, these services are both RADIUS based, so that might work by coincidence.

     

    If you look in your Access Tracker, on which service do the authentication requests from the Aerohive AP hit?

     

    You probably can disable the pre-auth service for now and create a new service using the "guest acess" service template. Make sure you do not have pre-auth checks enabled in ClearPass Guest.

     

    The "guest access" service template will have the correct post authentication enforcement profiles.



  • 11.  RE: Guest Manager - Session Limit

    Posted Feb 05, 2014 07:00 AM

    Seems to come in on Guest Operator Logins according to the radius request. 

     

    So it'd be easier to then create a brand new service that checks for it? I'll give that a crack and let you know how i do.

     

    Thanks for your help!



  • 12.  RE: Guest Manager - Session Limit

    Posted Jan 24, 2018 02:59 AM
    @arjan_k wrote:
    You can also use the Insight database (accounting) to enforce the session limit, this however needs a custom SQL query to get the number sessions for a certain guest account. I can share this SQL query if needed. With this method you do need CoA in place on the Aerohive config.

    Hi Arjan,

     

    Can you please share the custom SQL query? I think you DON'T need CoA in place when using this query?

     

    Thanks in advance!