Is there a way in the Aruba OS to set a limit on how many devices can be used by a particular user?
We do not have Clearpass.
Captive portal ?
We use both Captive Portal and 802.1X. I'd want the limit to apply across both authentication methods.
The reasoning behind this is that recently we had an incident where a set of credentials for a teacher got out into the student population. The teacher role does not get shut off at night unlike the student role. As soon as the kids figured this out, it spread like wildfire. Pretty soon we had 419 devices using the same login credentials. I'd like to set a hard limit for any user so that they can only have a fixed number of devices authenticated and connected at any point.
Here's your answer for the Captive Portal that is if you are using different usernames , instead of a just an accept terms and condition page with a generic username:
Unfortunately there's no way to do this with 802.1X on the controller side of things without having a policy engine like ClearPass
Do you have the steps to configure the Clearpass service to limit the amount of Simultaneous users?
@nilslau03 wrote:Do you have the steps to configure the Clearpass service to limit the amount of Simultaneous users?
To do this from ClearPass:
- Add the Endpoint Database as your Authorization Source
- Then create a post authentication profile that updates the endpoint repository with the username
- Then in the policy add the Endpoint > Unique Device Count as condition to allow access
What radius server do you use for your dot1x auth?
Windows Server 2012 NPS
And... how to do it without ClearPa$$$$$???
I have the same case. (NPS)
This type of functionality is not available in NPS.
Will there be in Aruba (HPE) some kind of strategy that will allow an educational organization (public university) in a developing country (low-income) to acquire the ClearPass to make this important requirement?
Are there any other alternatives to ClearPa $$?
Or are customers destined to be unable to comply with this (which Aruba itself "recommends" as "should be done") for lack of resources?
Dominic Orr please tell us if you read, I heard you sometimes and this seems to be only at the level of visionaries ... (I heard you at a conference ...)
Please work with your local Aruba team.
:/ thanks... but... No $$$ -> No win-win. Seems like we need "out of country" level guys...
Between the Aruba product and Radius create a radius forwarder - that checks number of active sessions on the controller with that username and if the limit is reached the point in between would send back a reject - or forward it to the Radius to check the creds. (This should be preatty easy to obtain with a python DEV and a DB on the radius forwarder that would keep the number of connections active status from the controller).
Forgot to add - in order to let's say prevent a user that has connection issues to be able to reconnect fast in the forwarder you would keep the number of connections and MAC's of each device - and if a device that has already an active session is trying again you would allow - given that the refresh in the DB from the controller would happen every certain min.
@Homerodesepcionado wrote:And... how to do it without ClearPa$$$$$??? I have the same case. (NPS) Regards.
Since ClearPass is based off FreeRADIUS and a database, are free to design your own solution around the building blocks for free or low cost.
We pay for the design & product reliability support from ClearPass but other lower cost options exist.
It depends on how motivated you are to have a solution.
I think you nailed it Bruce.
For the cost of hiring a developer as mentioned earlier, you could probably purchase ClearPass.
Very true Tim,
Also, compared to other solutions, Clearpass is very feature rich and reasonably priced. Whoever started the phrase "You get what you pay for" was spot on.
I didn't want to offend anyone .... Just wanted to provide another logical possibility to get to the desired solution if ClearPass is not an option.- And just as a reminder Aruba just started encourage the "network technicians" to look in to python + the work that I was suggesting is not necesary for a senior developeer - is very low end.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.