Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Limiting user with expect scripting without using Clearpass - October-MHC

  • 1.  Limiting user with expect scripting without using Clearpass - October-MHC

    Posted Oct 15, 2014 04:57 AM

    Introduction

     

    Limiting bandwitdh of wireless users on controllers in master-local topology with only using scripting language is so easy and crusial in a big campus networking. We have limiting many users by the following method to save bandwitdh.

     

    Steps


    1- Create a role on aruba for limited users. In my case, It is named "role-1mbps"
    2- Radius accounting information is logged to mysql with freeradius-mysql
    3- Calculate your download/upload threshold value of users in period.
    4- We will have another script which will trigger the following expect script. The script will make schanges on both controller and user's session won't completely removed.

     

    Expect script:
    #!/usr/bin/expect
    set password 123123

    set hosts "aruba-master"
    spawn ssh -o StrictHostKeyChecking=no admin@$hosts
    expect "admin@$hosts's password:"
    send -- "$password
    "
    expect "#"

    send -- "config t
    "
    expect "#"
    send -- "aaa server-group SSID-wpa2
    "
    expect "#"
    send -- "set role condition User-Name equals $username set-value role-1mbps position 1
    "
    expect "#"
    send -- "write mem
    "
    expect "#"
    send -- "exit
    "
    set hosts "aruba-local"
    spawn ssh -o StrictHostKeyChecking=no admin@$hosts
    expect "admin@$hosts's password:"
    send -- "$password
    "
    expect ">"
    send -- "ena
    "
    expect "Password:"
    send -- "$password
    "
    expect "#"
    send -- "aaa user delete name $username
    "
    expect "#"
    send -- "exit
    "

    5- To remove limited-role send only the "no" row.
    send -- "no set role condition User-Name equals $username set-value role-1mbps
    "



  • 2.  RE: Limiting user with expect scripting without using Clearpass - October-MHC

    Posted Oct 16, 2014 06:01 AM

    Good writeup.  I have not tested this.

     

    - Does the WLC need to have interim accounting configured for this to work?

    - What module needs to be run to collect the interim accounting information and does the controller need to point to that module as a radius accounting server?

    - The CLI on the controller is single-threaded.  Since you could be dealing with quite a few users, is there something to rate-limit logging into the CLI, yet still allow for timely disconnects?    It might be better to use the XML-API of the controller to change a user role or to disconnect a user, since it is not bound by the CLI:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/Using_the_XML_API_Server.htm

     

    ...just a few questions...



  • 3.  RE: Limiting user with expect scripting without using Clearpass - October-MHC

    Posted Oct 16, 2014 06:31 AM

    Hi Colin,

     

    - Yes, you are supposed to enable Interim Accounting for not waiting for "Stop" packet of radius.

     

    - Freeradius-mysql module collects the traffic information in database.

     

    - It might be a better option that you have suggested. I didn't use XML API. I had another two options to changing role. When I use "aaa user delete name" command, it never disconnect user. It refreshes user's profile/role table.

     

    thanks,



  • 4.  RE: Limiting user with expect scripting without using Clearpass - October-MHC

    Posted Oct 16, 2014 06:35 AM

    umutarus,

     

    Got it.

     

    If you want to really disconnect the user, you can blacklist the user with the "stm add-blacklist-client <client mac>" command:  https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/How-to-blacklist-a-client-in-a-centralized-way

     

    If you wanted to change the user's role so that they also get a message, you could do that as well...