Security

Hi Sifus,

 

is there any way to show notification to the user when they already use more than 2 devices .

 

can we make it to show at the captive portal immediatley after the user try to login, the same concept as user log in using invalid password (the notification will appear in red text).

What WLAN controller is being used?  The method used to notify the user will depend on the WLAN controller.

We are using 7220. Can we do simple error message like the invalid username password ?

If you are using ArubaOS 6.5 and above, if you return text in the Radius Reply-Message attribute on ClearPass when you reject a password, it will show up on the captive portal page.. http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Captive_Portal/Internal_Captive_Portal.htm  

Please see the heading "

Customizing Authentication Reply-Message to Captive Portal Users"

I’m a little bit confused, this is done at the CPPM or at the controller. If at the controller, its running 6.3.x. the CPPM running 6.5.5

The controller must be running AOS 6.5 to display the reply-message attribute from clearpass in the captive portal.  ClearPass can be any version that can send a reply-attribute in a radius response.

If the controller upgraded to 6.5, which part of the controller needs to be configured

The controller does not need to be configured.  If you send a radius reject from clearpass along with a message in the reply-message attribute it is displayed on the captive portal page.

Currently we are pushing the deny access profile to the user. Any other workaround if using aos 6.3.x ? the main objective is to notify the user they have exceeded the concurrent device limit

Not without javascript:  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Captive_Portal/Internal_Captive_Portal.htm#captive_portal_2658586545_1085133

You can show anything you want to a user on a ClearPass captive portal. Just write a policy that checks active sessions and then returns a role with the custom page’s URL.

Understood the concept.

Right now I’m using:

select count(DISTINCT calling_station_id) as sessions from radius_acct where (username = '%{Authentication:Username}') AND (NAD_IP = 'x.x.x.x' OR NAD_IP = 'x.x.x.x' OR NAD_IP = 'x.x.x.x' OR NAD_IP = 'x.x.x.x') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') AND now());

is this the best query for detecting devices per username? If I understand correctly, if there is no active session within 1 hour, the counting will be reset back to ‘0’. Am I correct?