Security

Hello,

 

Step by step, my CP self-registration is going on but there is one thing I can't achieved. I would like that the guests can connect only one hour on the wifi and then are disconnected. I dont' want that the account expire, only the session. So the guests can login again with the same account. Is it possible ?

 

In addition, I'd like to manage a five minutes break between each sessions ?

 

Thanks

 

Dimitri

I haven't tried this myself, but I wonder if it's possible to use the RADIUS attributes Session-Timeout and Terminate-Action to set the session time and then force reauthentication?  I'm not sure if the controller will allow the session timeout to be set by a RADIUS server, but this is certainly possible on a Cisco switch.

Thanks, I have seen this but don't know how to use it exactly. Can you help me a bit ?

A little up if someone more experienced than me can help to implement this.

Thanks

 

Dimitri

 

Well - what is really your point behind making them re-connect?

Is it the option to re-direct them to a landing portal with some info or ads you want them to see/click on?

 

Depending on what you want to achieve I would just save the user the hassle, and just have them re-register to get a new password. The account will by default auto-update with a new password anyways, and not overwrite any parameter not filled in..

 

But - that said...

 

I haven't tried this myself, but you could most likely create a variation of the Enforcement Policy "Standard Guest Access" with a rule that terminates the session if more than 1 hour since last authentication.

 

Inserted screenshot for configuration

 

 

 

 

Note that if the user has already timed out in the Aruba Session ie. he has been idle more than 5 minutes (or whatever you've set user idle timeout to be) he will have to be re-authenticated through the portal anyways.

 

Also.. You might want to use MAC-authentication and do the termination part there instead. Just same kind of rule starting out with the "MAC-caching 24hours" policy.

 

 Try it and let us know how it works out for you.

 

 

Hi,

 

I want to avoid guests to download movies or massive stuffs as IAPs are used as hotspot.

 

I have tried to create a variation of the Enforcement Policy "Standard Guest Access" but I can't add the operator "GREATER_THAN_OR_EQUALS" => value is not correct.

 

Dimitri

It saves fine for me - as you can see in the screenshot. Perhaps you've chosen the wrong Type?

 

(Authorization:[Insight Repository]:Hours-Since-Auth GREATER_THAN_OR_EQUALS 1)

 

 

But - for your purpose perhaps looking into quotas, bandwidth limits and firewall rules..

 

It's a request of my customer but I will try and see about quotas, bandwidth. Can I configure both in CCPM or is it better in the VC of the IAP ?

 

 

As you can see, I can't use GREATER_THAN_OR_EQUALS 1.

 

Dimitri

 

Strange. What version of CPPM are you using? I'm on 6.0.2.46902.
 
The quota part you should do in CPPM & Guest

CCPM 6.0.1.45969

 

Ok for the quota, so I need to make a new Enforcement Profile ?

 

Dimitri

To be honest - I don't really know how to do accounting based authentication in CPPM/CPGUEST 6.x.

 

I used it previously in Amigopod/CP-Guest 3.9.x.

Then it was more or less all described here: 

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Amigopod-3-5-Documentation-and-VRD/td-p/18554

 

Now - just browsing through the menus I see an Enforcement Profile named "Guest Bandwith Limit". This is already referenced in the "Standard Guest Access" service so just changing the Profile parameter Allowed-Limit to something else should enforce it...

 

 

Ok thanks, I'll try with those tools.

 

Dimitri

I back,

 

On CPPM, I can see this Enforcement Profiles used by the Guest Access service.

 

 

I think it's what I need (session timeout) but I am not sure if it's the session or the account that is timeout. Moreover  I don't really understand how works the Value. Can I change it to something like 1 hour ?

 

Thanks

 

Dimitri

I believe that parameter correlates to the Expiry Time of the user account which is set at creation. Changing the value in Enforcement Profile overrides that and doesn't give you the intended effect.

Ok so it's not what I want.

Thanks

 

Dimitri