Access Tracker reports that the disconnect is successful. However with wireless, if you disconnect a client, it will just reconnect. Check access tracker for a new authentication just after the CoA at 8:50:37 EDT If that happens, you should in your Service check for concurrent connected devices as well, and reject the authentication if the maximum number is exceeded.
It may be good to check with your Aruba Partner or Aruba support to optimize your design and create the policy that matches your requirements.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Oct 14, 2021 08:58 AM
From: Eric Olerud
Subject: Limit number of active devices per user with Clearpass
Under the access tracker on CPPM, it appears that ClearPass believes it is properly terminating the sessions, but my wireless devices are not being disconnected. Here is the RADIUS CoA action that appears for a device which is still connected to the network:
Is there some configuration that needs to be done on the WLAN side other than setting the RFC 3576 server?
------------------------------
Eric Olerud
Original Message:
Sent: Oct 13, 2021 10:54 AM
From: Colin Joseph
Subject: Limit number of active devices per user with Clearpass
Do you have radius accounting enabled and checked to make sure it is being received in ClearPass?
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Oct 13, 2021 10:10 AM
From: Eric Olerud
Subject: Limit number of active devices per user with Clearpass
I am having difficulty adding a rule to my 802.1X Service in ClearPass that would limit the number of devices certain users have. I have created a Post-Authentication Enforcement Profile with the Attributes:
Session-Check Active-Session-Count = 2
Post-Auth-Check Action = Disconnect
And I have added [Blacklist User Repository] as both an Authentication and and Authorization source. I also assigned ClearPass as the RFC 3576 server on my AAA profile for this WLAN.
Nevertheless, I am able to add devices beyond whatever number I set as the Active-Session-Count value. Has anyone had success with a similar setup?
------------------------------
Eric Olerud
------------------------------