- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Limiting user with expect scripting without using Clearpass - October-MHC
Limiting user with expect scripting without using Clearpass - October-MHC
10-15-2014 01:57 AM
Introduction
Limiting bandwitdh of wireless users on controllers in master-local topology with only using scripting language is so easy and crusial in a big campus networking. We have limiting many users by the following method to save bandwitdh.
Steps
1- Create a role on aruba for limited users. In my case, It is named "role-1mbps"
2- Radius accounting information is logged to mysql with freeradius-mysql
3- Calculate your download/upload threshold value of users in period.
4- We will have another script which will trigger the following expect script. The script will make schanges on both controller and user's session won't completely removed.
Expect script:
#!/usr/bin/expect
set password 123123
set hosts "aruba-master"
spawn ssh -o StrictHostKeyChecking=no admin@$hosts
expect "admin@$hosts's password:"
send -- "$password\n"
expect "#"
send -- "config t\n"
expect "#"
send -- "aaa server-group SSID-wpa2\n"
expect "#"
send -- "set role condition User-Name equals $username set-value role-1mbps position 1\n"
expect "#"
send -- "write mem\n"
expect "#"
send -- "exit\n"
set hosts "aruba-local"
spawn ssh -o StrictHostKeyChecking=no admin@$hosts
expect "admin@$hosts's password:"
send -- "$password\n"
expect ">"
send -- "ena\n"
expect "Password:"
send -- "$password\n"
expect "#"
send -- "aaa user delete name $username\n"
expect "#"
send -- "exit\n"
5- To remove limited-role send only the "no" row.
send -- "no set role condition User-Name equals $username set-value role-1mbps\n"
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Limiting user with expect scripting without using Clearpass - October-MHC
Re: Limiting user with expect scripting without using Clearpass - October-MHC
10-16-2014 03:00 AM - edited 10-16-2014 03:04 AM
Good writeup. I have not tested this.
- Does the WLC need to have interim accounting configured for this to work?
- What module needs to be run to collect the interim accounting information and does the controller need to point to that module as a radius accounting server?
- The CLI on the controller is single-threaded. Since you could be dealing with quite a few users, is there something to rate-limit logging into the CLI, yet still allow for timely disconnects? It might be better to use the XML-API of the controller to change a user role or to disconnect a user, since it is not bound by the CLI: http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/Using_the_XML_API_Server.htm
...just a few questions...
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Limiting user with expect scripting without using Clearpass - October-MHC
Re: Limiting user with expect scripting without using Clearpass - October-MHC
10-16-2014 03:30 AM
Hi Colin,
- Yes, you are supposed to enable Interim Accounting for not waiting for "Stop" packet of radius.
- Freeradius-mysql module collects the traffic information in database.
- It might be a better option that you have suggested. I didn't use XML API. I had another two options to changing role. When I use "aaa user delete name" command, it never disconnect user. It refreshes user's profile/role table.
thanks,
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Limiting user with expect scripting without using Clearpass - October-MHC
Re: Limiting user with expect scripting without using Clearpass - October-MHC
10-16-2014 03:34 AM
umutarus,
Got it.
If you want to really disconnect the user, you can blacklist the user with the "stm add-blacklist-client <client mac>" command: https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/How-to-blacklist-a-client-in-a-centralized-way
If you wanted to change the user's role so that they also get a message, you could do that as well...
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator