Security

Reply
Contributor I

Limit number of connections per AD user for specific Role

Hello,

 

I have a bunch of IAP-105 Access Points connecting to Clearpass 6.2.5 for authentication/role mapping that has been working well for me.  I'm using Active Directory machine name to authenticate employee machines and it's working but lately I've had to add another role for Contractors.  This role since they don't have an AD PC but they do have an AD Username, I've setup authentication for the user account but the problem is, they can sign into the WIFI from many machines (including mobile devices).  I want to limit them to a single connection, all other attempts get dropped.

 

I've did some searching and found a couple threads about this same thing but I couldn't get any of the responses to work for me.  Can I get a little help please?  I'm learning Aruba devices on my own so I'm limited to what I know about them.  Here are a couple screenshots of my Service (I know the Roles page looks messy, but it's because we have multiple domains and multiple operating companies in each domain so each operating company has their own groups). 

 

Any help would be greatly appreciated.

 

Chris

 

 

Capture.JPG

Capture1.JPG

Capture2.JPG

 

Capture3.JPG

Capture4.JPG

Capture5.JPG

Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

To use active-session-count,  I think you need to make sure you have radius interem accounting setup as well as INSIGHT turned on Clearpass.

Guru Elite

Re: Limit number of connections per AD user for specific Role

Also be aware that turning up interim accounting for all your networks can
increase load on ClearPass.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Limit number of connections per AD user for specific Role

I have the checkbox for "Enable Insight on this server" checked and also have "Log Accounting
Interim-Update Packets
" set to True.

 

Any other suggestions?

 

Thanks!

Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

In the Live_Monitoring>Accounting page do you see accounting records?  I ask because there are also settings on the controller itself that would need to be enabled to make Interim Accounitng work.  

Contributor I

Re: Limit number of connections per AD user for specific Role

No, there is no records being produced.

 

These APs are the Instant APs which have the controller built in. 

I'm not using a stand alone controller as I was told I didn't need one.

 

Is there somewhere on the IAP-105s I have to turn accounting on then?

Contributor I

Re: Limit number of connections per AD user for specific Role

Ok, so I found where to turn accounting on and it's now logging to the Accounting page...but I'm still able to sign into multiple devices with the same user account.

Guru Elite

Re: Limit number of connections per AD user for specific Role

(INSTANT-VC1)(SSID Profile secure1)# radius-accounting
(INSTANT-VC1)(SSID Profile secure1)# radius-accounting-mode {user-authentication| user
association}
(INSTANT-VC1)(SSID Profile secure1)# radius-interim-accounting-interval <minutes>

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

I do not have  a ton of XP on IAPs but from the command line you should be able to 

 

wlan ssid-profile <profile-name>  

radius-accounting enable

radius-interim-accounting-interval 10 

 

set the accounting interval to whatever minutes you need the user to check in at, careful because to many re-auths can really put load on your Clearpass box

 

Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

In order to de-auth a user after authentication, I believe you must have RFC3576 server configured.  This is a setting on the IAP as well as under Network>Devices>  Enable RADIUS CoA on the Clearpass box

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: