Wireless Access

I don't think this can be done without clearpass but thought I'd put it out there to you guys and see what I get.

Customer wants an SSID that uses captive portal to authenticate users off of the internal database or Radius (doesn't matter which). Easy right? Well here is the catch, they only want the user to be able to log in with a single device.

Scenario is, they give each user their own unique username and password that will allow them to log on with a single device. After the controller sees that user logged on it would block any other request from that user until they log off the one connected device. This would prevent them from connecting multiple devices (phone, iPad, etc etc) and would stop them from giving there username and password to their buddy so they can share access.

I don't think this can be done with standalone controller without clearpass.... thoughts?

Think I may have answered my own question.

Create a unique user role for each person.

In User Role set Max Sessions to 1

In Server Group for the SSID set Server Rules

Priority 1 Attribute Role Operation value-of Type String Action set role

I'm going to gen this up in my lab and see if it works.

Stay tuned.....

This doesn't seem to be working...

max sessions in the user role only corresponds to firewall traffic sessions, not simultaneous users.  Please do NOT touch that parameter!  In the Captive Portal Authentication Profile, use the "Allow only one active user session" parameter for what you want to achieve.