Security

Hello

I have recently deployed clearpass + Self registration,

I have 2 services, one that allows the guest to create an account. which then updates the endpoint repository, and then for the duration of the day the user connects to the wireless network and is authenticated by mac address.

I have set the mac service so it is only considered valid if less than 12 hours old and is tied to a valid account.

The solution is also set up so that a user can only connect with 2 devices. (at one time)

The problem is once a user has connected and authenticated, and the devices added to the Endpoint database, they never seem to disappear / get deleted.

So a user comes in one day registers with a device, then logs in to their iphone etc (if they come back in the next day they can reregister and reconnect . (Cant reconnect without self registering - as per design)

But clearpass then never forgets/deletes the macs, so when they then come in a week later, and register/attempt to connect with another device they are seen as trying to register / connect a 3rd device and they constantly fail the authentication even though they only have one device on that day.

Is there a way of restricting a user to 2 devices, but on a per account/day basis.

What i seem to have working is a user is limited to two devices, but this then caches the same to devices forever more...

I guess i need to find a way of turning the host to an unknow device or deleting it with a users account expiry, but i am unsure how to do this.

Any help would be appreciated...

This thread should help you out :

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Guest-MAC-Caching-Deny-Disabled-Guests/td-p/114909

Thanks Victor

my configuration, already matches that of the link you supplied (the only difference is the caching is set to one day and not the 7 in in example. (i used the template to create the service)

As mentioned in my initial post i have set a limit of 2 devices per user.

I was under the impression that this would set a limit on a per account/active period, (so if a user comes in today, and connects 2 devices, if they come back in tomorrow, with a different set of devices, they would fail the mac authentication, but be able to register (possibly using the same email/account details,

But it appears that it has set a limit of the first 2 devices associacted to the account are cached perminantly, am i missunderstanding the whay that the mac caching/limits works? Or have i missconfigured it?

i know that the mac address caching works, and that a user can only connect if their account is valid, i just have a problem if a user comes in the with different devices, it exceeds the 2 user limit

The customer expects a to be able to register 2 devices, per account, per day.

Hello sparky

Assuming you're using the services created by the wizards, you have two tests in terms of devices:

1. In the enforcement policy for the service handling the web-authentication:

(Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN  2)      [Deny Access Profile]

This one doesn't care about how many you have active - only how many Endpoints the database that has the UserName attribute like your Authentication:UserName. That means instant reject the second you register more than 2 - regardless if you just have 1 active. Endpoint goes to Known and Username is added to the Endpoint once you sucessfully authenticates through Radius

2. Then there is a post_authentication profile going on that tests for simultaneous sessions

So this one checks the active devices you have, and disconnects you if it's above the value from Guest Manager / Form field simultaneous_use.

Then to your usecase..

Basically removing check nr 1 should solve your issue. Then nr 2 will disconnect the client if he tries to have more than 2 active during 1 day.

Without changing the services you could also achieve this by cleaning up the endpoint database each night. You'll find this under:

Administration » Server Manager » Server Configuration || Cluster Wide Parameters || Cleanup Intervals

Hi John

Thanks for the detailed explanation. It is much clearer now.

Am i correct in that under  the settings:

Administration » Server Manager » Server Configuration || Cluster Wide Parameters || Cleanup Intervals

the default value of "0" means that it will never clean up the endpoint database?

So is 1 the minimum?

Regards

Mark

Hello Mark

Yes you're right in assuming that. 0 means never cleanup, but then again there might be some other parameter I haven't seen that deletes/cleans-up at a later time or if disk space exceeds a threshold

Have you been able to get around your issue?

Hi John

I have been experimenting with the values for the session count and allowed devices, and now have a much better understanding of the differences in these values (thanks again)

I would also like clear out the endpoint database on a regular basis.

I set the cleanup interval for both known and unknown devices to 1 day,(under the location you mentioned above) but it doesn’t seem to clear the devices..

Devices that connected last week (and my test devices this week/yesterday) and are known are still shown (under cp configuration identity endpoints)

Any ideas?

Cheers

Mark