Limiting bandwitdh of wireless users on controllers in master-local topology with only using scripting language is so easy and crusial in a big campus networking. We have limiting many users by the following method to save bandwitdh.
1- Create a role on aruba for limited users. In my case, It is named "role-1mbps"2- Radius accounting information is logged to mysql with freeradius-mysql3- Calculate your download/upload threshold value of users in period.4- We will have another script which will trigger the following expect script. The script will make schanges on both controller and user's session won't completely removed.
Expect script:#!/usr/bin/expectset password 123123
set hosts "aruba-master"spawn ssh -o StrictHostKeyChecking=no admin@$hostsexpect "admin@$hosts's password:"send -- "$password"expect "#"
send -- "config t"expect "#"send -- "aaa server-group SSID-wpa2"expect "#"send -- "set role condition User-Name equals $username set-value role-1mbps position 1"expect "#"send -- "write mem"expect "#"send -- "exit"set hosts "aruba-local"spawn ssh -o StrictHostKeyChecking=no admin@$hostsexpect "admin@$hosts's password:"send -- "$password"expect ">"send -- "ena"expect "Password:"send -- "$password"expect "#"send -- "aaa user delete name $username"expect "#"send -- "exit"
5- To remove limited-role send only the "no" row.send -- "no set role condition User-Name equals $username set-value role-1mbps"
Good writeup. I have not tested this.
- Does the WLC need to have interim accounting configured for this to work?
- What module needs to be run to collect the interim accounting information and does the controller need to point to that module as a radius accounting server?
- The CLI on the controller is single-threaded. Since you could be dealing with quite a few users, is there something to rate-limit logging into the CLI, yet still allow for timely disconnects? It might be better to use the XML-API of the controller to change a user role or to disconnect a user, since it is not bound by the CLI: http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/Using_the_XML_API_Server.htm
...just a few questions...
- Yes, you are supposed to enable Interim Accounting for not waiting for "Stop" packet of radius.
- Freeradius-mysql module collects the traffic information in database.
- It might be a better option that you have suggested. I didn't use XML API. I had another two options to changing role. When I use "aaa user delete name" command, it never disconnect user. It refreshes user's profile/role table.
If you want to really disconnect the user, you can blacklist the user with the "stm add-blacklist-client <client mac>" command: https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/How-to-blacklist-a-client-in-a-centralized-way
If you wanted to change the user's role so that they also get a message, you could do that as well...
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.