Security

Reply
Contributor II

How to disconnect Users at a specified time?

Hey everybody,

 

we are using CPPM 6.4 with the Guest module.

 

I want to disconnect guest users at a specified time using CoA or Radius Session-Timeout.

 

One customer wants to have specified time ranges for their guest users.

I already updated the service so they can only login in the specified time, but of course don't get disconnected when the end time is reached.

 

The biggest problem is that we have different guest roles with different time ranges.

Would it be possible to disconnect a users with a specific user role at 10pm for example?

 

The users shall not expire! They will be able to reconnect again at the next day in the specified time range.

 

The authentication is using captive portal.

The NAS device is a IAP.

 

 

Regards,


Sven
ACMX #754, ACCX #726, ACSA
Guru Elite

Re: How to disconnect Users at a specified time?

You would need to use the time source as an authorization source and calculate the difference between the authentication time and 10 PM and then return that amount of time as a session timeout.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: How to disconnect Users at a specified time?

 

This required some PostgreSQL knowledge but I have a running solution now :)

 

Step 1: Add TimeSource as Authorization Source

 

Step 2: Add Filter to TimeSource 

select (extract(epoch from date(CURRENT_DATE) + time '22:30' - now()))::int as Until2300;

 

Step 3: Enforcement Profile with Session-Timeout

Radius:IETFSession-Timeout=%{Authorization:[Time Source]:Until2300}

 

 

Thanks


Sven
ACMX #754, ACCX #726, ACSA
Occasional Contributor II

Re: How to disconnect Users at a specified time?

hello guy


 

 

I need deploy the solution mencionated, 

I follow: 

Step 1: Add TimeSource as Authorization Source

 

Step 2: Add Filter to TimeSource 

select (extract(epoch from date(CURRENT_DATE) + time '22:30' - now()))::int as Until2300;

 

Step 3: Enforcement Profile with Session-Timeout

Radius:IETFSession-Timeout=%{Authorization:[Time Source]:Until2300}

 Step 4: Apply to a enforcement.

 

conection its working but the desconection at 1700 doesnt happen, maybe Im missing some steps. attach you can find some screenshoots of my configs.

 

Many Thanks



Re: How to disconnect Users at a specified time?

Do you have accounting enabled ? In ClearPass and the NAD
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: How to disconnect Users at a specified time?

hello,

Thanks for you quick reply

I had configured on controller:
- RFC 3576 Server (ip of my CPPM).
- RADIUS accounting server on AAA profile of captive portal (ip of my CPPM).
- RADIUS intering accounting on AAA profile.

 

over CPPM :
- I think the accounting its enable because I can see the active sessions and can see "online" status form a sigle user in access tracker, but its not possible terminate the session--- image attached.

v

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: