Security

Hello,

 

I have a bunch of IAP-105 Access Points connecting to Clearpass 6.2.5 for authentication/role mapping that has been working well for me.  I'm using Active Directory machine name to authenticate employee machines and it's working but lately I've had to add another role for Contractors.  This role since they don't have an AD PC but they do have an AD Username, I've setup authentication for the user account but the problem is, they can sign into the WIFI from many machines (including mobile devices).  I want to limit them to a single connection, all other attempts get dropped.

 

I've did some searching and found a couple threads about this same thing but I couldn't get any of the responses to work for me.  Can I get a little help please?  I'm learning Aruba devices on my own so I'm limited to what I know about them.  Here are a couple screenshots of my Service (I know the Roles page looks messy, but it's because we have multiple domains and multiple operating companies in each domain so each operating company has their own groups). 

 

Any help would be greatly appreciated.

 

Chris

 

 

 

To use active-session-count,  I think you need to make sure you have radius interem accounting setup as well as INSIGHT turned on Clearpass.

Also be aware that turning up interim accounting for all your networks can
increase load on ClearPass.

I have the checkbox for "Enable Insight on this server" checked and also have "Log Accounting
Interim-Update Packets" set to True.

 

Any other suggestions?

 

Thanks!

In the Live_Monitoring>Accounting page do you see accounting records?  I ask because there are also settings on the controller itself that would need to be enabled to make Interim Accounitng work.  

No, there is no records being produced.

 

These APs are the Instant APs which have the controller built in. 

I'm not using a stand alone controller as I was told I didn't need one.

 

Is there somewhere on the IAP-105s I have to turn accounting on then?

Ok, so I found where to turn accounting on and it's now logging to the Accounting page...but I'm still able to sign into multiple devices with the same user account.

(INSTANT-VC1)(SSID Profile secure1)# radius-accounting
(INSTANT-VC1)(SSID Profile secure1)# radius-accounting-mode {user-authentication| user
association}
(INSTANT-VC1)(SSID Profile secure1)# radius-interim-accounting-interval <minutes>

 

---

@cappalli wrote:

(INSTANT-VC1)(SSID Profile secure1)# radius-accounting
(INSTANT-VC1)(SSID Profile secure1)# radius-accounting-mode {user-authentication| user
association}
(INSTANT-VC1)(SSID Profile secure1)# radius-interim-accounting-interval <minutes>

 

---

When looking at my WIFI Profile in the CLI, I see I'm missing the "radius-accounting-mode".  What should I be using, user-authentication or user-association?

 

 

Authentication






Sent from Windows Mail

I do not have  a ton of XP on IAPs but from the command line you should be able to 

 

wlan ssid-profile <profile-name>  

radius-accounting enable

radius-interim-accounting-interval 10 

 

set the accounting interval to whatever minutes you need the user to check in at, careful because to many re-auths can really put load on your Clearpass box

 

In order to de-auth a user after authentication, I believe you must have RFC3576 server configured.  This is a setting on the IAP as well as under Network>Devices>  Enable RADIUS CoA on the Clearpass box

I have RFC3576 active on both the IAP and Clearpass/Radius server.

 

I'm sure it's something simple that I'm missing or have in the wrong spot but I can still connect two devices.

How does the de-auth work?  I have all the settings that have been mentioned in this post done and there are still mutliple connections from the same user.

 

 

Are you able to manually disconnect a device? Please try this: Connect with your device, then go to Access Tracker and find the latest authentication request and open it. Click the "Change Status" button at the bottom, make sure it says Aruba Terminate Session. It should tell you if the action was successful.

 

 

Radius [Aruba Terminate Session] successful for client 94ebcd19ecb9

 

 

So it seems that works.  It disconnected my BB10 device and then the device reconnected instantly while my Android device was already connected.

Hi all, just to update this thread, I was working with the OP and we finally got this working.

 

We set up the policy & profile as follows, and are now able to connect with one device only, using username / password auth.  I think what was missing before was that the Endpoint wasn’t being updated with the AD username, the way it would with Guest authentication.

 

I’ll try to sum it up here:

 

 

In the screenshot above, you can see I have two rules in the Enforcement Policy, in this cased based on my UserDN (just to ensure the rule hits during testing.  Obviously for the customer, the rule condition will be based on TIPS:Role or something other than a static UserDN).  The first rule is where we check the Unique-Device-Count.  More than 1 device gets the Deny Access profile.

The next rule is where we set the user role, and update the endpoint.  Rather than setting it known, or trying to cache the MAC address, the “Update Endpoint” profile simply adds the AD username to the endpoint.

 

The profiles look like this:

 

 

 

I tested this with various devices, and it always works.  The first device authenticates properly, and the next one is rejected like this:

 

Hope this helps someone else!

 

 

Hi mpoulin.

Thanks for your post.

I tried to repeat your configuration for accounts from Clearpass guest and accounts from AD.
But I connect multiple devices and the rule does not match and the connection is not denyed.

(Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN  1) [Deny Access Profile] 
Advise please where can be my mistake?

Vasya,

 

Please make sure you put the endpoints repository into the Authorization tab.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Limit-number-of-unique-devices-for-an-user/m-p/73586/highlight/true#M5105

thank you
in this was my mistake)

I'll check first thing tomorrow morning, I've already gone home and there aren't any live connections I can "test" with lol

Hi 

I tested this config and it works.

But are the endpoint counters cleared automatically somehow ata the ende of the day or when the user disconnectes one device?

Regards

------------------------------
Bruno Costa
------------------------------

Original Message:
Sent: Feb 19, 2014 07:22 PM
From: Chris Laginskie
Subject: Limit number of connections per AD user for specific Role

I'll check first thing tomorrow morning, I've already gone home and there aren't any live connections I can "test" with lol