Security

Dear all expert,

I'm implementing clearpass version 6.4.4 and my customer's requirement is use the same user account but get different user role when connect with computer and smartdevice. Such if user "aaa" in AD group "Tech" connect to wireless with computer , clearpass will return role to controller with "Tech" role. But if the same user "aaa" connect to wireless with smartdevice, clearpass will return role to controller with "MobileTech". This is work fine when i confiured it. However my customer give me more requirement that he want to limit user session , such user "aaa" connect with computer will be limited to 2 concurrent sessions. And at the same time , user "aaa" connect with smartdevice will be limited to 2 concurrent sessions too.

However if i use this insight attribute to limit.

select count(*) as sessions from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') AND now());

It will count from accounting stop per user. When i use this attribute combine to Role mapping or Enf prolicy , it will can't count by separate with device type too.

So how can i do it with above requirement?

Thanks ..

Hi!

I would consider using other credentials than only username and password for the computers. If it´s domain connected windows machines I´d push certificates to the computers and authenticate them using EAP-TLS. Or you could authenticate them using their domain computer account instead of the users account.

If you´re not in a windows only environment you could consider an onboarding license to be able to push unique credentials to your devices.

On topic I´m not sure if you can differentiate session numbers on the same SSID using the same credentials and only differ by device type like your customer wants to.