AAA, NAC, Guest Access & BYOD

 View Only

How to disconnect/logout an active guest device? 

Sep 21, 2018 08:05 AM

Requirement:

We have come across a requirement to disconnect an active guest device to allow a new device to connect when the user has reached the session limit. 

 

Consider a guest network is restricted to two active devices per guest user. User has connected two devices to the guest network and wants to connect the 3rd device by disconnecting one of the existing active devices. 

 

For Example: Devices A and B are connected to the network and the user wants to connect device C by disconnecting one of the active devices(A or B which is latest).

 



Solution:

This article will help to disconnect/logout recently authenticated and active guest device from the network.

 

Note: ClearPass guest complete setup is out of scope here and this article will only help you in implementing active device disconnect/logout. Please visit the below links for ClearPass Guest integration technotes and guest user concurrent sessions limit.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-limit-ClearPass-guest-concurrent-simultaneous-sessions/ta-p/303067

 



Configuration:

Steps:

  • Create two web-login pages, one to collect the user credentials and next to issue disconnect.
  1. Web-Login page-1: To collect the user credentials and validate the credentials via pre-authentication and redirect the device to weblogin page-2 for disconnecting recently authenticated  device of the same user.
  2. Web-Login page-2: To collect the client MAC address returned by the weblogin page-1 and submit WebAuth to disconnect the client and redirect the client to guest login/registration page.
  • Create a service to handle WebAuth submitted by weblogin page-2.
  • OPTIONAL - Create a webpage in ClearPass Guest that will report the session exceed and have a link to logout page(Web-Login page-1).

Mandatory checklist in guest configuration:

  • Accounting should be enabled with interim update in the network device(NAS).
  • Interim accounting should be logged in the ClearPass nodes as shown below.
  • Insight should be enabled in at least one of the ClearPass nodes in the Cluster.
  • ClearPass should be added as a RADIUS Dynamic Authorization Server on network devices for RADIUS disconnect to work.
  • Endpoint:Username should be returned to NAS device with RADIUS Access-Accept, incase of MAC Authentication/Cache enabled for guest users. Visit the page "https://community.arubanetworks.com/t5/Security/How-to-return-username-MAC-auth/td-p/138541" for more details.

 

Step 1: Creating weblogin page-1.

Navigate to ClearPass Guest >> Configuration >> Pages >> Web Logins and click on "Create a new weblogin page". 

Define the weblogin Name and Page Name. In this example  we have given page name logout_prep.

 

Enable pre-authentication as shown below to validate the credentials. Pre-authentication check can be set to "Local - match a local account" if the guest user account exists in the Guest User Repository.

Note: If you are using an external authentication source  for guest access, then pre-authentication should be set to "RADIUS" or "App Authentication" and respective Weblogin pre-authentication service should be created in ClearPass Policy Manager.

 

Add the following query/code into "Login Message" field and set the "Login Delay" to negative value as shown below and save the page.
 

{nwa_radius_query _method=GetUserCurrentSession username=$username _assign=session}

<meta http-equiv="refresh"
content="0;url=/guest/logout_webauth.php?mac={$session.callingstationid}"/>

 

Step 2: Creating weblogin page-2.

Create a new weblogin page and define the weblogin Name and Page Name. In this example  we have given page name logout_webauth.

Set the Login Method to "Server-initiated - Change of authorization (RFC 3576) sent to controller" as shown below.

 

As shown below:

Set the Authentication to "Auto - Do not require a username and password and automatically submit the page" under Login Form.

Check the Auto-Generate box to create an anonymous account which needs to submit WebAuth. Note: This account is just to submit a WebAuth.

Check the Custom Form to enable "Provide a custom login form".

Pre-Authentication should be set to "Local - match a local account".

 

Add the following content(edit as needed) in the Login Form >> Login Message filed and set the Login Delay to "-1" as shown below and Save the page.

{nwa_text id=7978}<p>
<h2>
Successfully logged out the client - {$mac}. You will be redirected to login page in 10 seconds.
</h2>
</p>{/nwa_text}
<meta http-equiv="refresh" content="10;url=http://<cppm_IP or hostname>/guest/<registration or login-page-name>.php"/>
<div style="display:none;">

 

Step 3: Creating web-based authentication service to handle WebAuth request from Weblogin page-2.

Prerequisite: An enforcement profile should be created to update the disconnecting client's MAC address status as Unknown and change the existing endpoint:username to ensure that the disconnected client doesn't re-authenticate via MAC Caching and get on to the network.

Navigate to ClearPass Policy Manager >> Configuration >> Enforcement >> Profiles and Click on Add to add an enforcement profile as shown below.

Set the Template to "ClearPass Entity Update Enforcement" and define the profile name.

 

In the Attributes tab, add the Status-Update and Endpoint:Username attributes as shown below and save the enforcement profile.

please click on the below image to view in higher resolution.

 

Create an enforcement policy to map the above enforcement profile along with radius disconnect enforcement to it in the WebAuth service. Navigate to Configuration >> Enforcement >> Policies and click Add.

Define the enforcement policy name and set the Enforcement Type to "WEBAUTH". Default Profile can be set to any profile.

 

Define the Rules as shown below and save the enforcement policy.

 

Now navigate to Configuration >> Services and click on Add and create the WebAuth Service as shown below.

Set the service type to "Web-based Authentication, define the service name and move to next tab.

 

Map the authentication source "[Guest User Repository]". 

 

Map the created enforcement policy and save the service.

 

 

 

 

 

 

 



Verification

Consider the guest network is restricted to two concurrent devices and the user has already connected two devices using the same username "testuser" and he/she wants to connect a 3rd device by disconnecting one of the active devices below (recently connected).

 

All the user have to do is, visit the "logout_prep" page, which is https://<clearpass_IP/hoatname>/guest/logout_prep.php and enter their credentials.

 

End result. User can connect and authenticate the 3rd device after successfully disconnecting the client - f07bcb3b5c78.

 

Note: It will be a good practice to redirect the 3rd device to a custom web-page(instead of denying access) when the limit is exceeded and report about exceeding session limit and allow the user to logout/disconnect the active device (recently connected) from the same page.

You can apply an appropriate enforcement profile to redirect the client device to a custom web-page when the user is exceeding the allowed devices limit.

Custom Web-page can be created under ClearPass Guest >> Configuration >> Pages >> Web Pages. Please refer the below example.

 

Sample output of custom page.

 

 

 

 

 

 

Statistics
0 Favorited
22 Views
0 Files
0 Shares
0 Downloads

Comments

Jun 01, 2020 01:08 AM

Hi @cappalli,

 

This is a great guide. I have the same question as resantero - are we able to disconnect all other active devices assigned to the signed in user account? 

 

 

Mar 09, 2020 03:16 AM

Hi, tried this guide and its works.

 

Anyway can this be done automatically, lets say my active Device is Phone#1 then when I login using my Phone#2, Phone#1 automatically disconnects and now Phone#2 is connected.

 

Is this possible? I think other devices is capable of this?

Jul 01, 2019 04:17 AM

Dear esupport

I has try to use pre-authentication : RADIUS
RADIUS is CPPM
but on Access Tracker see the Authentication failure
the Error Message: Failed to classify request to service
can you tips ? maybe is i lack someing

 

螢幕快照 2019-07-01 下午4.18.09.png

Related Entries and Links

No Related Resource entered.