Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

Daily Usage Role Derivation Scenario

  • 1.  Daily Usage Role Derivation Scenario

    Posted May 15, 2016 11:20 PM
      |   view attached

    Hey all,

     

    I'm having some problems with a couple scenarios and I'd like some assistance if possible.

     

    Here are the requirements:

     

    1. Role derivation based off of User Consumption

    2. Self-Registration Page for Student Game Consoles (MACTrac?)

     

    Scenario 1 

    [EXAMPLE INFO] - A student user connects to the network and is given a total bandwidth limit of 10MB and can only transfer at 1MB during a session. Once the student hits the 10MB threshold, then it's CoA derivated to a role where the total bandwidth allowed is 2MBs with a 512k transfer limit. Once that limit is hit, then it's finally CoA derivated to a final role where the total bandwidth allowed is 1MB with a 128k transfer limit.

     

    This involves two things:

    Overall Bandwidth Capacity (OBC)

    Session Bandwidth Capacity (SBC)

     

    Role: Student-A

    OBC: 10MB

    SBC: 1MB

     

    Role: Student-B

    OBC: 2MB

    SBC: 512k

     

    Role: Student-C

    OBC: 1MB

    SBC: 128k

     

    What I've done so far:

    I've made sure that RFC 3576 is setup, that ClearPass can see the controller and visa-versa, and have created all of the roles and BW contracts. I've also created all of the Services, Enforcement stuff, etc. in ClearPass.

     

    What I need to know:

    What CPPM database can I reference when creating conditions that check total utilization, and then have it zero out at the end of the day? I don't have to worry about session contracts in CPPM since I can let the controller do that, so if I only have to worry about total usage, I can CoA derivate and let the controller handle session utilization.

     

    Additional Info:

    These limits, per user, will persist for 24 hours. After that, everything gets zeroed out and the user can start fresh again. The goal of this is to prevent any student from streaming a ton of data and making other users suffer. Since the client's pipe isn't big at all, this is pretty vital.

     

    Scenario 2

    [EXAMPLE INFO] - A student would like to register their game console. I'm considering using MACTrac for this and following this guide that I found: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-To-Advanced-MACTrac-designs-in-ClearPass-November-MHC/td-p/217291. Is there another, newer guide out there that covers this? If not, I'll just use this one. The client also has an additional requirement that they be able to clear this DB of all consoles at the end of the year when all of the students graduate and force persistant students to reregister their consoles.

     

    I attached a basic Visio to explain the intended process as best as I could (applies only to Scenario 1). I'd also like to mention that TAC couldn't help me with this, and a document that I found on Arubapedia talking about this very thing (which utilizes a Generic SQL DB) didn't help with this. Whenever I tried to clear the cache for that newly created database, it wouldn't clear. I had to manually go into CPPM via CLi and delete * <dbase name> radius_acct, which was really cumbersome and I wouldn't want the client to have to do that everyday.

     

    If anyone has any insight into this, I'd really appreciate it.

     

     

    Attachment(s)