Security

Reply
MVP
Posts: 1,409
Registered: ‎05-28-2008

H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :(

1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1)  [Deny Access Profile]

 

 

>ClearPass is keeping  denying even after user session is expired and deleted ..please advise.... i want to user to be able to connect only with 1 device for 1 hour.and his session is over he can re create a new user with the same e-mail and login with another (2nd device)

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

Perhaps instead of just expiring the account...you can expire AND DELETE the account.  That way, the user can just re-create it with the same email.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

Thanks....BUTIt's already configured like this....

Capture.PNG

and it's aint working... when the 1 hour is over - i cant login with the same e-mail(user) with a 2nd device...

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

Did you check the guest account after the hour?  Is it still there?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

yep  ...as expired....

but the problem is that there is still endpoint record is still there even after the user account is expired....

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

Yep...and that's the issue.  The account must also be deleted.  I'm wondering if it's a config issue or a bug.  Perhaps a TAC case?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

it's really freaking me out...

 

i want the guest to be able to login for 1 hour with 1 device.

but when the 1 hour is over...is account is expired...but his enpoint is still written...so if he trying to create a new account with the same user/e-mail with another devices...it's getting reject - even due...he his already finish his first 1 hour with his first device...

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

FOr the Guest service you're using, can you check the post-auth actions?

 

I see one here that may work for you...

 

Screen Shot 2013-10-02 at 8.25.47 AM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

noop..that not what i looking for.

the problem is with the endpoint record...and not with the expired guest 

 

 

(i want the user to be able to log with 2nd device after the first 1 hour as passed and he finished to use is first device)

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Contributor I
Posts: 27
Registered: ‎05-20-2013

Re: H3LP | Unique-Device-Count GREATER_THAN 1) [Deny Access Profile] ....even after session over :

Have you tried this setting?

 

I'm facing the same problem with stale endpoints for old devices accumulating and causing users to exceed the unique-device-count.

 

CPPM Endpoint Expiration

Search Airheads
Showing results for 
Search instead for 
Did you mean: