Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Post Session Restriction Profile - Real world use case

Jump to Best Answer
  • 1.  Post Session Restriction Profile - Real world use case

    Posted Nov 02, 2019 04:45 PM
      |   view attached

    Dear Experts, 

     

    Can someone highlight the way they might be using post session restriction profiles? can i use it to restrict bandwidth usage by a 802.1x client? 



  • 2.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 04, 2019 04:16 AM

    This is more typically used on guest networks and an enforcement profile is included in the guest service wizard.

     

    What exactly are you aiming to do here? Block access once a user has exceeded a certain amount of data?



  • 3.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 04, 2019 04:18 AM

    Dear James,

     

    Yes, but for 802.1x users. Is it possible to restrict them so that they are not able to download/upload more than 10Gb of data per 24 hours. 



  • 4.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 05, 2019 06:39 AM

    Ok i did some testing on my own and it seems to be working. Attached snapshot is my profile. Also attached is the snap of CoA sent.

    As defined in the action its either disconnect or disconnect and block access. In both cases, Aruba terminate session was fired. Can we change this behavior? like if i want to change the role/vlan of the user exceeding their bandwidth quota? where i can do this modification?

     



  • 5.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 05, 2019 08:18 AM

    You could try adding the [Blacklist user repository] as an authorization source, do some role mapping based on a user being blacklisted, then assign a different role via your enforcement.

     

    I've not tried this out myself but this is what I'd do next to try to get it working....



  • 6.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 12:13 AM
    Yeah, i think the challenge is, post session profiles workflows are not
    explained in detail. So we are not sure what we can and cannot do with post
    session profiles. All the role mapping and other stuff can be done
    primarily for the time of login, but if i want to monitor the state of
    authenticated user (802.1x and not guest) there doesnt seem to be any
    guidelines given.


  • 7.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 05:27 AM

    I can see that Aruba wireless terminate session is sent if post auth action is set to disconnect (with or without block access). Where do we modify this setting?



  • 8.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 06:06 AM

    That's expected. The client will re-authenticate and Clearpass should see that the MAC is in the blacklist user repository and assign a different role.

     

    That's how I would imagine it works if you set up your service as I previously mentioned.



  • 9.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 06:25 AM

    how should i add the user to blacklist repository when he exceeds the quota? in post-auth-check action is only disconnect. I cannot pass on any other profile. 

     

    Or am i missing something very basic here?



  • 10.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 06:26 AM

    sorry for multiple posts. When you said "do some role mapping based on a user being blacklisted" this is what i am asking, how to blacklist the user as part of post session policy?



  • 11.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 06:59 AM

    post-auth-check > action > disconnect and block access



  • 12.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 07:14 AM
    Blacklist user repository refers to Static host list? coz i did the same
    thing but nothing is added SHL.


  • 13.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 07:22 AM

    Ok i see them under monitoring. Out of curiosity, i have also accessed Clearpass DB with pgadmin, and can see different tables, any idea which one corresponds to Black listed users?

     

    So the workflow would be, to use BL as authz source, and when user is matched, either deny or push different role to him right?



  • 14.  RE: Post Session Restriction Profile - Real world use case
    Best Answer

    Posted Nov 06, 2019 07:40 AM

    In theory yes, that's how I see it working.



  • 15.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 06, 2019 12:27 PM

    Ok let me test this out tomorrow. 

     

    Also if you or anyone can advise which table in public database corresponds to Black list users repository. Just asking out of curiosity. 



  • 16.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 07, 2019 06:20 AM

    Dear James, 

     

    I added BL as authz source but couldnt use it in rolemapping or enforcement policy. I checked under sources and in my case (snap attached) its fields are empty. 

     

    How to use BL user respository in Role mapping or Enforcement profile? its not available.



  • 17.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 07, 2019 06:58 AM

    Got it to work, attaching the snapshots of my BL authentication source and changes done to it, and also my enforcement profile.

     

    Thanks James for all the help provided



  • 18.  RE: Post Session Restriction Profile - Real world use case

    Posted Nov 07, 2019 07:13 AM

    That's great! Glad you got it working. :)