Security

 View Only
  • 1.  Block concurrent connections (active-sessions?)

    Posted Feb 25, 2023 10:40 AM

    Hello,

    We have ClearPass that is connected to Active Directory, and we have a simply rule before allowing the connection to our VPN (Aruba Mobility Controller.)

    The basic rule as follows:

    Authorization: LAB_AD       sAMAccountNAME EXISTS

    Permit

    I added a new condition right below what I wrote above

    Authorization: Insight Repository, active-sessions less than or equals 0

    It then blocks every new connection attempt. 

    I just want to block the same user being able to connect the second time via another device. We use cert based authentication. What would be a best way of accomplishing this? 


    Any help or advice is appreciated.

    Thank you.



  • 2.  RE: Block concurrent connections (active-sessions?)

    Posted Feb 27, 2023 04:05 AM

    Which AOS version are you running? In version 8.11 (together with VIA client version 4.5) you can configure a concurrent session limit.



    ------------------------------
    William Bargeman
    Systems Engineer Aruba
    ------------------------------



  • 3.  RE: Block concurrent connections (active-sessions?)

    Posted Feb 27, 2023 09:09 AM

    Thank you, William.

    We are on ClearPass Policy Manager 6.9.10.134806 on C1000 platform and VIA 4.3.

    I've tried a various iterations of rules and I can still have multiple devices being able to connect with the same certificate.

    Insight is recognizing the username as the Common Name on the certs, and shows that multiple devices connect. So Insight logging seems to be working.

    I've tried,

    TC1
    Rule1
    sAMAccountName  EXISTS
    Online-Status Equals NOT_EXISTS
    DIDN'T WORK!
    ---------------
    TC2
    Rule1
    sAMAccountName  EXISTS
    Allow

    Rule2
    Active-Sessions LESS_THAN_OR_EQUALS 0
    Allow
    DIDN'T WORK!
    -------------
    TC3
    Rule1
    sAMAccountName  EXISTS
    Active-Sessions LESS_THAN_OR_EQUALS 0
    Allow
    Neither device was able to connect
    -------------
    TC4
    Rule1
    sAMAccountName  EXISTS
    Active-Sessions EQUALS 0
    Allow
    Neither device was able to connect
    -------------
    TC5
    Rule1
    sAMAccountName  EXISTS
    Active-Sessions NOT_EXISTS
    Allow
    Both connected
    -------------




  • 4.  RE: Block concurrent connections (active-sessions?)

    Posted Feb 28, 2023 07:27 AM

    Hi, have you tried: Active-Sessions LESS_THAN_OR_EQUALS 1 or EQUALS 1?

    I hope this helps