Security

Reply
Contributor I
Posts: 56
Registered: ‎08-28-2008

Limit concurrent 802.1x users without CoA

[ Edited ]

Hi,

 

I know that Clearpass can limit the concurrent users with the same login on 802.1x. But I want to know if it is possible to do with a Access Point / Controller that doesn't support RADIUS CoA. It's possible?

 

The customer has Fortinet controller and Access Point. Fortinet support RADIUS 802.1x auth and accounting but not CoA. 

 

The scenario are:

Users from Group1 can authenticate only on 2 devices with the same login simultaneously.

Users from Group2 has no limit.

 

Clearpass can solve this issue? 

 

Best Regards,

Paulo R.

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: Limit concurrent 802.1x users without CoA

It really depends on how reliable the Accounting Stop packet is coming from Fortinet.

 

If it is reliable, then because of the flixability of ClearPass we can write a custom SQL query to look at the number of active sessions that the username has. We use this information as authorization. Based on this information and depending on the capabilities of Fortinet, we could redirect the user to a page saying that there are too many devices connected to the network using this username.

Thanks,

Zach Jennings
MVP
Posts: 226
Registered: ‎03-03-2011

Re: Limit concurrent 802.1x users without CoA

Did a similar thing a while ago and believe the below SQL query was used to create the active_session attribute which can then be used during Authorisation:

 

select count(*) as active_session from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}');

 

As zjennings stated you need to ensure the Fortigate is reliable at sending RADIUS accounting.

David
ACDX #98 | ACMP | ACCP
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: Limit concurrent 802.1x users without CoA

Good SQL query. Might I suggest you add a time constraint on the search based on max session timeout or at least limit the search to 24 hours.

Thanks,

Zach Jennings
Search Airheads
Showing results for 
Search instead for 
Did you mean: