Wireless Access

Hi there,

Is there anyone who can share how we can set up a downloading limit with ClearPass.

We have an open SSID with Captive portal. We want to restrict the bandwidth and downloading on this SSID for a some kind of devices (Students own devices).

Thank you.

You can do this in combination with the controller, RADIUS accounting, and Insight. See the screenshot below. It should get you started.

Hi Tim,

Thank you for the quick response,

I already have an enforcement profile used to enforce an aruba rule, How can I integrate the Bandwidth_Limit enforcement profile with my Service in ClearPass? Could you please give me more details?

Thank you.

I've been playing with it in my lab and I actually can't get it to work quite right. Are the users coming in through a CP Guest account or are they just regular 802.1X / MAC-Auth authentications?

Maybe someone else has some ideas.

Hi Tim,

Sorry for the late. As I montionned in my initial post, we have an open ssid with CP used by students to access the network using their AD accounts. We want to limit downloading for instance 50 MB per user per day.

I used Bandwidth Limit enforcement profile as per your advice, the user get disconnected when he reaches the Bandwidth limit.

Thank you.

I have tested this enforcement profile against a MAC authed user and found it does not work. The RADIUS accounting is working and the activity logs show user's total and download traffic has exceeded the limit.

"Disconnect" is very ambiguous, as is the only other enforcement option "Disconnect and block access.

What actual action are we expecting CP and the controller to take, and how will this be shown in CP logs? Unfortunately the feature is not well documented.

i would expect a CoA request disconnecting the user. when he tries to connect again the request will be blocked.

do you see something like that? it might be your CoA isnt setup correctly.

---

@BGC IT wrote:

I have tested this enforcement profile against a MAC authed user and found it does not work. The RADIUS accounting is working and the activity logs show user's total and download traffic has exceeded the limit.

 

"Disconnect" is very ambiguous, as is the only other enforcement option "Disconnect and block access.

What actual action are we expecting CP and the controller to take, and how will this be shown in CP logs? Unfortunately the feature is not well documented.

---

BGC IT,

This works, but it requires more than just interim radius accounting and disconnect enforcement.  If you open a TAC case they can lead you through everything that is needed for this to work reliably.

Hi,

can we perform this also on an Instant virtual controller and CLearpass ?

Create a ticket for guests to use wifi and set a maximum usage limit ?

Regards

Sorry to dig out an old thread, but has anyone had a go at getting this working based on a users MAC address rather than username?

I got it done with a combination of MAC address and User auth (i.e. MAC caching) with help from support. It required making changes to the internal SQL queries. 

yea, thats what I was expecting. I've had a poke around at this and it doesn't seem possible without support's help as the db username password or schema isnt published...

could you share any notes on how they helped you?

Hmm, difficult to reconstruct what they did without spending a bit of time looking at config and comparing to another system.

I would recommend just going through support. I do recall this was a textbook case for self-inconsistency and poor implementation within Clearpass but unless there's some will to rectify these things I've stopped documenting them.