Wireless Access

Reply
Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

Downloading limit with ClearPass

Hi there,

 

Is there anyone who can share how we can set up a downloading limit with ClearPass.

We have an open SSID with Captive portal. We want to restrict the bandwidth and downloading on this SSID for a some kind of devices (Students own devices).

 

Thank you.

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Downloading limit with ClearPass

[ Edited ]

You can do this in combination with the controller, RADIUS accounting, and Insight. See the screenshot below. It should get you started.

 

guest-bandwidth.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

Re: Downloading limit with ClearPass

Hi Tim,

 

Thank you for the quick response,

 

I already have an enforcement profile used to enforce an aruba rule, How can I integrate the Bandwidth_Limit enforcement profile with my Service in ClearPass? Could you please give me more details?

 

Thank you.

Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Downloading limit with ClearPass

I've been playing with it in my lab and I actually can't get it to work quite right. Are the users coming in through a CP Guest account or are they just regular 802.1X / MAC-Auth authentications?

 

Maybe someone else has some ideas.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 66
Registered: ‎02-02-2012

Re: Downloading limit with ClearPass

Hi Tim,

 

Sorry for the late. As I montionned in my initial post, we have an open ssid with CP used by students to access the network using their AD accounts. We want to limit downloading for instance 50 MB per user per day.

 

I used Bandwidth Limit enforcement profile as per your advice, the user get disconnected when he reaches the Bandwidth limit.

 

Thank you.

Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Downloading limit with ClearPass

I have tested this enforcement profile against a MAC authed user and found it does not work. The RADIUS accounting is working and the activity logs show user's total and download traffic has exceeded the limit.

 

"Disconnect" is very ambiguous, as is the only other enforcement option "Disconnect and block access.

What actual action are we expecting CP and the controller to take, and how will this be shown in CP logs? Unfortunately the feature is not well documented.


--
ACMA ACMP
MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Downloading limit with ClearPass

i would expect a CoA request disconnecting the user. when he tries to connect again the request will be blocked.

 

do you see something like that? it might be your CoA isnt setup correctly.

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Downloading limit with ClearPass


BGC IT wrote:

I have tested this enforcement profile against a MAC authed user and found it does not work. The RADIUS accounting is working and the activity logs show user's total and download traffic has exceeded the limit.

 

"Disconnect" is very ambiguous, as is the only other enforcement option "Disconnect and block access.

What actual action are we expecting CP and the controller to take, and how will this be shown in CP logs? Unfortunately the feature is not well documented.


BGC IT,

 

This works, but it requires more than just interim radius accounting and disconnect enforcement.  If you open a TAC case they can lead you through everything that is needed for this to work reliably.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 37
Registered: ‎03-15-2011

Re: Downloading limit with ClearPass

Sorry to dig out an old thread, but has anyone had a go at getting this working based on a users MAC address rather than username?

Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Downloading limit with ClearPass

I got it done with a combination of MAC address and User auth (i.e. MAC caching) with help from support. It required making changes to the internal SQL queries. 


--
ACMA ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: