Security

We'd like to set some daily limit of data traffic for the guest clients. We've already set radius accounting which is working well but don't know how to terminate the client after he exceeds the limit. As I read in some documents, it should be realized by Radius CoA. Unfortunatelly I'm an Aruba novice and I'm not familiar with the CPPM's philosophy, yet. I read the accounting TN for Amigopod, but CPPM has different gui to set the policies, so it doesn't help me. Could somebody write me some advice or workflow how to set the profiles, policies, etc. in CPPM, please?

You will want to create a post-authentication enforcement profile ("Session Restrictions Enforcement"), and apply this to the sessions that should be restricted.

The options in the enforcement profile are hopefully self-explanatory: you can set Post-Auth-Check : Action = Disconnect, and then appropriate values for Bandwidth-Check : Check-Type = Daily, Bandwidth-Check : Allowed-Limit = 50, Bandwidth-Check : Limit-Units = MB.

Hello amigodave.

This works fine for me.

Can I change user-role on mobility controller when user reaches his data limit ?

The reason is, that user is not disconnected, but he is droped to user-role (eg.) with lower bandwidth ?

Regards

Jaroslav

Apologies for digging out an old post...

Is there anything special required to deploy this of Aruba Instant? I've set up a profile with the attributes you have suggested below, they are assigned to a policy, yet my users is fully capable of downloading past their Allowed-Limit.

any suggestions?

Well - you need to have CoA and Radius Interim Accounting configured. With that in place it should work.

You can check an account in Access Tracker to verify that Radius Accounting is going on - and if there has been fired off any CoA.

I know for sure that accounting is enabled, it's how I am able to check that the client has downloaded more than their limit (CPPM Guest -> Active Session and also in Access Tracker)

I'll check CoA, I know its enabled on the IAP as well as RFC3576 (default config).

Is there anything else I should check?

Actually, how do I check CoA is enabled?

You can either look for the CoA tab in access tracker or find an access tracker entry and click the Change Status button to initiate a CoA. It will tell you if it was succesful or not.

ok.

There is no CoA tab under Access Tracker (I get Summary, Input, Output and Accounting) and the only option under "Change Status" is "Server Action" (The others are greyed out)

So I'm assuming CoA is not enabled.

You'll want to enable RADIUS CoA for each of your NADs that you want to have the CoA functionality. You can do this under Configuration > Network > Devices, click on a device and then check the RADIUS CoA box.

Yep, Thats already done.

Is there a difference between Radius CoA on CPPM and AirGroup CoA on IAPs? if not I'm assuming these should be on the same port?

They are NOT on the same port, no...

Good, just confirming...

Solved it! For some reason NAS IP and NAS Identifier on the IAP were configured and were messing with ClearPass