Network Management

I am having difficulty adding a rule to my 802.1X Service in ClearPass that would limit the number of devices certain users have. I have created a Post-Authentication Enforcement Profile with the Attributes:

Session-Check    Active-Session-Count   =    2
Post-Auth-Check  Action                 =    Disconnect

And I have added [Blacklist User Repository] as both an Authentication and and Authorization source. I also assigned ClearPass as the RFC 3576 server on my AAA profile for this WLAN.

Nevertheless, I am able to add devices beyond whatever number I set as the Active-Session-Count value. Has anyone had success with a similar setup?

------------------------------
Eric Olerud
------------------------------

Do you have radius accounting enabled and checked to make sure it is being received in ClearPass?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Oct 13, 2021 10:10 AM
From: Eric Olerud
Subject: Limit number of active devices per user with Clearpass

I am having difficulty adding a rule to my 802.1X Service in ClearPass that would limit the number of devices certain users have. I have created a Post-Authentication Enforcement Profile with the Attributes:

Session-Check    Active-Session-Count   =    2
Post-Auth-Check  Action                 =    Disconnect

And I have added [Blacklist User Repository] as both an Authentication and and Authorization source. I also assigned ClearPass as the RFC 3576 server on my AAA profile for this WLAN.

Nevertheless, I am able to add devices beyond whatever number I set as the Active-Session-Count value. Has anyone had success with a similar setup?

------------------------------
Eric Olerud
------------------------------

I am not sure where that setting would be, but as a test I added two devices to the network, and then in CPPM, under Monitoring > Accounting, I found both successful connection attempts. It looks like after the second connection is made, the first one is terminated (Status shows Inactive), but the connection is really still live. Also, under Auth Sessions, the Number of Authentication Sessions field shows as 1 on both connection entries.

I also noticed that the Blacklisted Users page under Monitoring in CPPM does not appear to be populated.

------------------------------
Eric Olerud
------------------------------

Original Message:
Sent: Oct 13, 2021 10:54 AM
From: Colin Joseph
Subject: Limit number of active devices per user with Clearpass

Do you have radius accounting enabled and checked to make sure it is being received in ClearPass?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Oct 13, 2021 10:10 AM
From: Eric Olerud
Subject: Limit number of active devices per user with Clearpass

I am having difficulty adding a rule to my 802.1X Service in ClearPass that would limit the number of devices certain users have. I have created a Post-Authentication Enforcement Profile with the Attributes:

Session-Check    Active-Session-Count   =    2
Post-Auth-Check  Action                 =    Disconnect

And I have added [Blacklist User Repository] as both an Authentication and and Authorization source. I also assigned ClearPass as the RFC 3576 server on my AAA profile for this WLAN.

Nevertheless, I am able to add devices beyond whatever number I set as the Active-Session-Count value. Has anyone had success with a similar setup?

------------------------------
Eric Olerud
------------------------------

Under the access tracker on CPPM, it appears that ClearPass believes it is properly terminating the sessions, but my wireless devices are not being disconnected. Here is the RADIUS CoA action that appears for a device which is still connected to the network:


Is there some configuration that needs to be done on the WLAN side other than setting the RFC 3576 server?

------------------------------
Eric Olerud
------------------------------

Original Message:
Sent: Oct 13, 2021 10:54 AM
From: Colin Joseph
Subject: Limit number of active devices per user with Clearpass

Do you have radius accounting enabled and checked to make sure it is being received in ClearPass?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Oct 13, 2021 10:10 AM
From: Eric Olerud
Subject: Limit number of active devices per user with Clearpass

I am having difficulty adding a rule to my 802.1X Service in ClearPass that would limit the number of devices certain users have. I have created a Post-Authentication Enforcement Profile with the Attributes:

Session-Check    Active-Session-Count   =    2
Post-Auth-Check  Action                 =    Disconnect

And I have added [Blacklist User Repository] as both an Authentication and and Authorization source. I also assigned ClearPass as the RFC 3576 server on my AAA profile for this WLAN.

Nevertheless, I am able to add devices beyond whatever number I set as the Active-Session-Count value. Has anyone had success with a similar setup?

------------------------------
Eric Olerud
------------------------------

Access Tracker reports that the disconnect is successful. However with wireless, if you disconnect a client, it will just reconnect. Check access tracker for a new authentication just after the CoA at 8:50:37 EDT If that happens, you should in your Service check for concurrent connected devices as well, and reject the authentication if the maximum number is exceeded.

It may be good to check with your Aruba Partner or Aruba support to optimize your design and create the policy that matches your requirements.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 14, 2021 08:58 AM
From: Eric Olerud
Subject: Limit number of active devices per user with Clearpass

Under the access tracker on CPPM, it appears that ClearPass believes it is properly terminating the sessions, but my wireless devices are not being disconnected. Here is the RADIUS CoA action that appears for a device which is still connected to the network:


Is there some configuration that needs to be done on the WLAN side other than setting the RFC 3576 server?

------------------------------
Eric Olerud

Original Message:
Sent: Oct 13, 2021 10:54 AM
From: Colin Joseph
Subject: Limit number of active devices per user with Clearpass

Do you have radius accounting enabled and checked to make sure it is being received in ClearPass?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Oct 13, 2021 10:10 AM
From: Eric Olerud
Subject: Limit number of active devices per user with Clearpass

I am having difficulty adding a rule to my 802.1X Service in ClearPass that would limit the number of devices certain users have. I have created a Post-Authentication Enforcement Profile with the Attributes:

Session-Check    Active-Session-Count   =    2
Post-Auth-Check  Action                 =    Disconnect

And I have added [Blacklist User Repository] as both an Authentication and and Authorization source. I also assigned ClearPass as the RFC 3576 server on my AAA profile for this WLAN.

Nevertheless, I am able to add devices beyond whatever number I set as the Active-Session-Count value. Has anyone had success with a similar setup?

------------------------------
Eric Olerud
------------------------------