Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎03-26-2014

Limiting user with expect scripting without using Clearpass - October-MHC

Introduction

 

Limiting bandwitdh of wireless users on controllers in master-local topology with only using scripting language is so easy and crusial in a big campus networking. We have limiting many users by the following method to save bandwitdh.

 

Steps


1- Create a role on aruba for limited users. In my case, It is named "role-1mbps"
2- Radius accounting information is logged to mysql with freeradius-mysql
3- Calculate your download/upload threshold value of users in period.
4- We will have another script which will trigger the following expect script. The script will make schanges on both controller and user's session won't completely removed.

 

Expect script:
#!/usr/bin/expect
set password 123123

set hosts "aruba-master"
spawn ssh -o StrictHostKeyChecking=no admin@$hosts
expect "admin@$hosts's password:"
send -- "$password\n"
expect "#"

send -- "config t\n"
expect "#"
send -- "aaa server-group SSID-wpa2\n"
expect "#"
send -- "set role condition User-Name equals $username set-value role-1mbps position 1\n"
expect "#"
send -- "write mem\n"
expect "#"
send -- "exit\n"
set hosts "aruba-local"
spawn ssh -o StrictHostKeyChecking=no admin@$hosts
expect "admin@$hosts's password:"
send -- "$password\n"
expect ">"
send -- "ena\n"
expect "Password:"
send -- "$password\n"
expect "#"
send -- "aaa user delete name $username\n"
expect "#"
send -- "exit\n"

5- To remove limited-role send only the "no" row.
send -- "no set role condition User-Name equals $username set-value role-1mbps\n"

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: Limiting user with expect scripting without using Clearpass - October-MHC

[ Edited ]

Good writeup.  I have not tested this.

 

- Does the WLC need to have interim accounting configured for this to work?

- What module needs to be run to collect the interim accounting information and does the controller need to point to that module as a radius accounting server?

- The CLI on the controller is single-threaded.  Since you could be dealing with quite a few users, is there something to rate-limit logging into the CLI, yet still allow for timely disconnects?    It might be better to use the XML-API of the controller to change a user role or to disconnect a user, since it is not bound by the CLI:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/Using_the_XML_API_Server.htm

 

...just a few questions...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎03-26-2014

Re: Limiting user with expect scripting without using Clearpass - October-MHC

Hi Colin,

 

- Yes, you are supposed to enable Interim Accounting for not waiting for "Stop" packet of radius.

 

- Freeradius-mysql module collects the traffic information in database.

 

- It might be a better option that you have suggested. I didn't use XML API. I had another two options to changing role. When I use "aaa user delete name" command, it never disconnect user. It refreshes user's profile/role table.

 

thanks,

Guru Elite
Posts: 21,487
Registered: ‎03-29-2007

Re: Limiting user with expect scripting without using Clearpass - October-MHC

umutarus,

 

Got it.

 

If you want to really disconnect the user, you can blacklist the user with the "stm add-blacklist-client <client mac>" command:  https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/How-to-blacklist-a-client-in-a-centralized-way

 

If you wanted to change the user's role so that they also get a message, you could do that as well... 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: