Can someone highlight the way they might be using post session restriction profiles? can i use it to restrict bandwidth usage by a 802.1x client?
This is more typically used on guest networks and an enforcement profile is included in the guest service wizard.
What exactly are you aiming to do here? Block access once a user has exceeded a certain amount of data?
Yes, but for 802.1x users. Is it possible to restrict them so that they are not able to download/upload more than 10Gb of data per 24 hours.
Ok i did some testing on my own and it seems to be working. Attached snapshot is my profile. Also attached is the snap of CoA sent.
As defined in the action its either disconnect or disconnect and block access. In both cases, Aruba terminate session was fired. Can we change this behavior? like if i want to change the role/vlan of the user exceeding their bandwidth quota? where i can do this modification?
You could try adding the [Blacklist user repository] as an authorization source, do some role mapping based on a user being blacklisted, then assign a different role via your enforcement.
I've not tried this out myself but this is what I'd do next to try to get it working....
I can see that Aruba wireless terminate session is sent if post auth action is set to disconnect (with or without block access). Where do we modify this setting?
That's expected. The client will re-authenticate and Clearpass should see that the MAC is in the blacklist user repository and assign a different role.
That's how I would imagine it works if you set up your service as I previously mentioned.
how should i add the user to blacklist repository when he exceeds the quota? in post-auth-check action is only disconnect. I cannot pass on any other profile.
Or am i missing something very basic here?
sorry for multiple posts. When you said "do some role mapping based on a user being blacklisted" this is what i am asking, how to blacklist the user as part of post session policy?
post-auth-check > action > disconnect and block access
Ok i see them under monitoring. Out of curiosity, i have also accessed Clearpass DB with pgadmin, and can see different tables, any idea which one corresponds to Black listed users?
So the workflow would be, to use BL as authz source, and when user is matched, either deny or push different role to him right?
In theory yes, that's how I see it working.
Ok let me test this out tomorrow.
Also if you or anyone can advise which table in public database corresponds to Black list users repository. Just asking out of curiosity.
I added BL as authz source but couldnt use it in rolemapping or enforcement policy. I checked under sources and in my case (snap attached) its fields are empty.
How to use BL user respository in Role mapping or Enforcement profile? its not available.
Got it to work, attaching the snapshots of my BL authentication source and changes done to it, and also my enforcement profile.
Thanks James for all the help provided
That's great! Glad you got it working. :)
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.