Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎02-04-2014

Guest Manager - Session Limit

I'm attempting to setup Guest Manager which I've managed to an extent. Users can create accounts etc and logon to the network. However, we have a requirement to allow users who create accounts to set the Session Limit to anything up to 20. I'm aware I can restrict them to using anything greater than 20 using validation but I've been unable to actually get the session limit to work. If I create an account then I can login it seems as many times as I want with that account.

 

Can anyone point me in the right direction on how to set it up so we can do this?

 

Thanks in advance :)

Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Guest Manager - Session Limit

[ Edited ]

Do you have a RADIUS accounting server-group defined in your AAA profile on the controller? Also check the root AAA profile for RADIUS interim accounting.

 

 

radius-accounting-aaa.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎02-04-2014

Re: Guest Manager - Session Limit

Would this be on Clearpass or Aerohive? 

 

Radius is up and running as it uses a captive web portal to login and authenticate back to the AP'S.

 

I'm unsure where i'd find these setting...? Also apologise i realise that i forgot to mention the aerohive bits.

 

Thanks

 

Oli

MVP
Posts: 130
Registered: ‎06-11-2013

Re: Guest Manager - Session Limit

[ Edited ]

The screenshot cappalli has posted is from an Aruba controller... he is asking you to enable RADIUS interim accounting. This feature should be available on Aerohive as well.

 

For accounting information to be stored inClearPass Policy Manager you need to have Insight to enabled (under server configuration).

 

Also, the ClearPass Policy Manager 6.x default behavior is to disconnect the latest device using RADIUS CoA (RFC 3576) after the session limit has been reached. If you have the guest template in Policy Manager you should have a Post_Authentication profile with a Session-Check and Post-Auth-Check.

 

In order for this to work you will need to have CoA (RFC3576) enabled on the Aerohive solution. You also need to make sure ClearPass can communicate with the AP's in order for it to send RADIUS CoA requests (UDP port 3799).

 

You can also use the Insight database (accounting) to enforce the session limit, this however needs a custom SQL query to get the number sessions for a certain guest account. I can share this SQL query if needed. With this method you do need CoA in place on the Aerohive config.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor I
Posts: 7
Registered: ‎02-04-2014

Re: Guest Manager - Session Limit

Ok great! I got CoA working today so were able to change status of connections through clearpass etc so that's definitely setup.

Where would I implement this this change? On one of the user forms in guest manager or in policy manager enforcement rules? Im fairly new to the product so apologise about the questions.

thanks

DISCLAIMER
This message is intended only for the use of the person(s) ("Intended Recipient") to whom it is addressed. It may contain information, which is privileged and confidential. Accordingly any dissemination, distribution, copying or other use of this message or any of its content by any person other than the Intended Recipient may constitute a breach of civil or criminal law and is strictly prohibited. If you are not the Intended Recipient, please contact the sender as soon as possible.
Reed Business Information Limited. Registered Office: Quadrant House, The Quadrant, Sutton, Surrey, SM2 5AS, UK.
Registered in England under Company No. 151537
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Guest Manager - Session Limit

[ Edited ]

In Policy Manager: in the enforcement policy connected to the service used for guest authentication you should have a policy where an enforcement policy is applied for the guest session limit.

 

See attached screenshot.

 

If you do not have this you should use the service template for guest authentication.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor I
Posts: 7
Registered: ‎02-04-2014

Re: Guest Manager - Session Limit

Thanks for this. I can see the section in here ( see attached ).

 

I'm unsure of what exactly to put in though? So when a user puts in a number on the session limit form on the captive web portal, how can i then link that back so they can never go over that limit? Will your SQL statement work for this?

 

Thanks

 

Oli

MVP
Posts: 130
Registered: ‎06-11-2013

Re: Guest Manager - Session Limit

Do you also have a service for "Guest Access" (not "Guest Access pre-auth")? The non-pre-auth service should have a enforcement policy with the mentioned enforcement profile in place.

 

The pre-auth service is used for direct communication between ClearPass Policy Manager and ClearPass Guest. The other guest service is used for RADIUS authentication between the Aerohive AP and ClearPass Policy Manager.

 

It's not mandatory to have a pre-auth service in place, this is only need when pre-auth checks are enabled in ClearPass Guest (either on the login form or self registration). The purpose of pre-auth is to have validation enabled within ClearPass Guest so the user will see an error on the ClearPass Guest page when they have enterred incorrect credentials.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor I
Posts: 7
Registered: ‎02-04-2014

Re: Guest Manager - Session Limit

There is a service for pre-auth only it seems by the looks of it! Would this be where i put the entry to check for the session limit?

 

Or should i create a new service to cater for this? I would assume that it would be part of the pre-auth check as we'd want it to check before they connect if they've gone over the limit?

 

Thanks

 

Oli

MVP
Posts: 130
Registered: ‎06-11-2013

Re: Guest Manager - Session Limit

Oh, you only have a pre-auth service? :) In that case the login from the Aerohive AP to ClearPass Policy Manager should not really work. But, these services are both RADIUS based, so that might work by coincidence.

 

If you look in your Access Tracker, on which service do the authentication requests from the Aerohive AP hit?

 

You probably can disable the pre-auth service for now and create a new service using the "guest acess" service template. Make sure you do not have pre-auth checks enabled in ClearPass Guest.

 

The "guest access" service template will have the correct post authentication enforcement profiles.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Search Airheads
Showing results for 
Search instead for 
Did you mean: