Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Session limit trigger

This thread has been viewed 8 times

  • 1.  Session limit trigger

    Posted Sep 08, 2012 10:42 AM

    Hi,

     

    I would like to configure some custom warning messages. Currently I am stuck on a multiple session limit.

     

    I have all my ClearPass users set to a session limit of 1.

    When a user logs into a 2nd device without logging out of the 1st device the login page should be refreshed and a warning message displayed.

    I would like to know what triggers the warning message.

     

    Currently I believe it sends the equivilant of username/password incorrect to my Cisco WLC which will return to the ClearPass a statusCode=5

     

    I would expect this to be a statusCode=1 (you are already logged in) or statusCode=3 (you cant be logged in at this time)

     

    Anyone got any experience with custome error codes with ClearPass and Cisco WLC?



  • 2.  RE: Session limit trigger

    Posted Sep 10, 2012 02:26 PM

    You could use the {nwa_radius_query} function in the page HTML to determine if the user is already logged in, and present a message.  This does not rely on Cisco's statusCode parameter.

     

    Something like this might work:

     

    {nwa_radius_query _method=GetIpAddressSessions _assign=num_sessions}

    {if $num_sessions > 0}

    <p>

      You are already logged in...

    </p>

    {/if}

     

     



  • 3.  RE: Session limit trigger

    Posted Sep 10, 2012 11:45 PM

    Thats a much better idea, thanks.

     

    Just to clarify, it would be on a second device that the error would be generated, so instead of GetIpAddressSession (Based on user IP) would it be better to use GetCurrentSession or GetUserActiveSession? and what would the syntax be?

     

    I have tried the follow:

     

    {nwa_radius_query _method=GetUserActiveSessions from_time="900" _assign=num_sessions}
    {if $num_sessions > 0}
     {nwa_icontext type=error}
    You are already logged in...
     {/nwa_icontext}

    {/if}

     

    and:

     

    {nwa_radius_query _method=GetUserSession from_time="900" to_time=null _assign=num_sessions}
    {if $num_sessions > 0}
     {nwa_icontext type=error}
    You are already logged in...
     {/nwa_icontext}
    {/if}

     

    both fail with:

     

    "missing arguments to method"



  • 4.  RE: Session limit trigger

    Posted Sep 17, 2012 05:05 PM

    There is no method "GetUserSession", so I'm not sure what the second example is trying to achieve.

     

    The "username" argument is needed for "GetUserActiveSessions".

     

    The "from_time" argument is needed for "GetIpAddressSessions".

     

    Without these arguments, you are going to get an error.  You need to provide the appropriate value when you call the function.