Security

last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Concurrent connections limit

  • 1.  Concurrent connections limit

    Posted Apr 15, 2013 09:47 AM

    Hello,

    We just implemented a new Aruba wifi solution. Clearpass policy manager is used for radius for some SSID's and we have a specific SSID configured at a Clearpass policy manager service.

    One of the networks we deploy is an Aruba 802.1x Wireless network, that just checks if the Active Directory user is member from a specfic (AD) group. This network is used for employees that are able to connect with their mobile device. Now i need a way to restrict access to only 1 concurrent connections/session for one group users and 2 concurrent connections/sessions to another group.

    I did found some information about the rules I can use in the role mapping rules, but i can't find a way to limit the max concurrent connections. I'm not sure if this is the right way to configure this or that i need some service rules or other settings.

    Any help is appriciated.

    Regards,
    Roland



  • 2.  RE: Concurrent connections limit

    Posted Apr 15, 2013 01:10 PM
    You can define this under the user-role , maximum tcp sessions 0-65365


  • 3.  RE: Concurrent connections limit

    Posted Apr 15, 2013 01:15 PM

    @roland123 wrote:

    Hello,

    We just implemented a new Aruba wifi solution. Clearpass policy manager is used for radius for some SSID's and we have a specific SSID configured at a Clearpass policy manager service.

    One of the networks we deploy is an Aruba 802.1x Wireless network, that just checks if the Active Directory user is member from a specfic (AD) group. This network is used for employees that are able to connect with their mobile device. Now i need a way to restrict access to only 1 concurrent connections/session for one group users and 2 concurrent connections/sessions to another group.

    I did found some information about the rules I can use in the role mapping rules, but i can't find a way to limit the max concurrent connections. I'm not sure if this is the right way to configure this or that i need some service rules or other settings.

    Any help is appriciated.

    Regards,
    Roland


    Roland,

     

    You can do this through ClearPass Policy Manager with a Post-Authentication Profile.  Please review the CPPM 6.0 user guide on how to set this up.

     



  • 4.  RE: Concurrent connections limit

    Posted Apr 16, 2013 09:20 AM

    Hello cjoseph,

     

    I created an enforcement profile "limit max 1 session" with the attributes:

     

    Type                                                            Name                                                  Value

    1. Session-Check                                   Active-Session-Count                      = 1
    2. Post-Auth-Check                                 Action                                                  =  Disconnect

     

    I added this profile to an enforcement policy rule action. The policy conditions is:

     

    Type                           Name                                                   Operator                                        Value

    1. Tips                     Role                                                      EQUALS                                       My role name

    And with this are 2 enforcement profiles:

    [RADIUS] Profile_My-Profile
    [Post Authentication] Limit max 1 session

     

     

    In the radius profile there is a check for the Aruba-User-Role.

     

    I also added the the Blacklist User Repository to the authentication sources at the Service that contains the above enforcement policy (as suggested in the user guide), but it doesn't seem to work, i did try to connect, disconnect and reconnect with 2 mobile devices and the AD user, but i can connect all the time when i enter the correct logon information.

     

    Is there something i forget?

     

    Kind regards,

    Roland



  • 5.  RE: Concurrent connections limit

    Posted Apr 16, 2013 09:25 AM

    Roland,

     

    Do you have radius account enabled in the AAA profile of the WLAN controller?  You also need to enable interim accounting, as well.  In addition, in CPPM under server configuration, you need to have "Enable Insight on this Server" checked, as well as Log Accounting Interim-Update Packets set to True under Service Parameters> Radius Server > Accounting.

     



  • 6.  RE: Concurrent connections limit

    Posted Apr 16, 2013 09:47 AM

    Helle cjoseph,

     

    Radius interim accounting is enabled and there is a 802.1x Authentication server group specified to the Clearpass server. Is this enough on the controller side? Where do i need to have the radius account enabled in the AAA Profile, is this that i need to specify the clearpass server as accounting server, the same group i used for the 802.1x Authentication server group?

     

    Enable Insight on this server is enabled, Log Accounting Interim-Update Packets is set to true.

     

    Thanks,

    Roland

     

     

     

     



  • 7.  RE: Concurrent connections limit

    Posted Apr 16, 2013 09:57 AM
    Yes, you need to put the same server group for CPPM in the Radius Accounting Server group in the AAA profile. You should then be able to see radius accounting for authentication on the CPPM side.


  • 8.  RE: Concurrent connections limit

    Posted Apr 16, 2013 10:16 AM

    Thank you for your patience with me :-)

     

    Okay, now i see some data in the accounting monitoring. But i'm still able to just connect with my credentials from 2 devices at the same time. I'm expecting that the second connection is terminated, from the second device.

     

    Do i still forget something?



  • 9.  RE: Concurrent connections limit

    Posted Apr 16, 2013 10:35 AM

    Okay.  In the AAA profile on the Aruba Controller, make sure you have an RFC 3576 profile that points to CPPM (enter the same preshared key), and on the CPPM side make sure that the Aruba Controller definition has COA enabled.

     



  • 10.  RE: Concurrent connections limit

    Posted Apr 17, 2013 04:39 AM

    I have the RFC 3576 Auth. server configured with the clearpass server at the controller aaa profile. And "Enable RADIUS CoA" is enabled in the CCPM config (at both aruba controller devices), but i'm still able to connect with 2 seperate devices.

     

     



  • 11.  RE: Concurrent connections limit

    Posted Apr 17, 2013 06:59 AM

    Can you go to the access tracker is "Disconnect" an authenticated user to see if COA is configured properly?

     



  • 12.  RE: Concurrent connections limit

    Posted Apr 17, 2013 09:49 AM

    I only see records at the access tracker for another service, but not for this one. At the accounting i do see the users that authenticate.