Security

 View Only
  • 1.  clearpass active session restriction

    Posted Nov 05, 2024 12:21 PM

    hi Airheads,

    just wondered what the recommended way for restricting access to guest users to one device is?

    i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

    and i'd like to block access if another device tries to use the same account details

    i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

    Do you have to use Insight or is there a simpler way?

    cheers

    Pete



  • 2.  RE: clearpass active session restriction

    Posted Nov 05, 2024 12:58 PM

    Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

    ******
    [Insight Repository]
    +++++++++++++
    ARUBA VERSION
    New filter "Custom-ConcurrentSessions-PreAuth-User" to find concurrent sessions currently active through interim accounting updates
    To be used in role mappings for Application/WebAuth where %{Authentication:Username} will exist
    SELECT count(distinct calling_station_id) as active_sessions
    FROM radius_acct
    WHERE end_time IS null
    AND username = '%{Authentication:Username}'
    AND LEFT(ssid,LENGTH('%{Application:WebLoginURL:essid}')) = '%{Application:WebLoginURL:essid}'
    AND updated_at > now() - interval '12 minutes'
    - active_sessions: ActiveSessions-PreAuth-User, Integer
    ******
    [Insight Repository]
    +++++++++++++
    ARUBA VERSION
    New filter "Custom-ConcurrentSessions-User" to find concurrent sessions currently active through interim accounting updates
    To be used in role mappings where %{Authentication:Username} will exist
    SELECT count(distinct calling_station_id) as active_sessions
    FROM radius_acct
    WHERE end_time IS null
    AND username = '%{Authentication:Username}'
    AND ssid = '%{Connection:SSID}'
    AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
    AND updated_at > now() - interval '12 minutes'
    - active_sessions: ActiveSessions-User, Integer
    ******
    [Insight Repository]
    +++++++++++++
    ARUBA VERSION
    New filter "Custom-ConcurrentSessions-Endpoint" to find concurrent sessions currently active through interim accounting updates
    To be used in role mappings where %{Endpoint:Username} will exist
    SELECT count(distinct calling_station_id) as active_sessions
    FROM radius_acct
    WHERE end_time IS null
    AND username = '%{Endpoint:Username}'
    AND ssid = '%{Connection:SSID}'
    AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
    AND updated_at > now() - interval '12 minutes'
    - active_sessions: ActiveSessions-Endpoint, Integer

    Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

    ******
    [Guest User Repository]
    New filter "Custom-SimultaneousUse-User" to return the simultaneous_use attribute based on Authentication:Username
    SELECT tgu.attributes ->>'simultaneous_use' AS simultaneous_use_user
    FROM tips_guest_users as tgu 
    WHERE ((tgu.guest_type = 'USER')
    AND (tgu.user_id = '%{Authentication:Username}')
    AND (app_name != 'Onboard'))
    - simultaneous_use_user: SimultaneousUse-User, Integer
    ******
    [Guest User Repository]
    New filter "Custom-SimultaneousUse-Endpoint" to return the simultaneous_use attribute based on Endpoint:Username
    SELECT tgu.attributes ->>'simultaneous_use' AS simultaneous_use_endpoint
    FROM tips_guest_users as tgu 
    WHERE ((tgu.guest_type = 'USER')
    AND (tgu.user_id = '%{Endpoint:Username}')
    AND (app_name != 'Onboard'))
    - simultaneous_use_endpoint: SimultaneousUse-Endpoint, Integer

    ******
    [Guest User Repository]
    New filter "Custom-RemainingExpiration-User" to return the account expiration timestamp and time remaining until expiration for a guest account.
    This accounts for Account Lifetime (expire_postlogin) when calculating the account expiration time and remaining time,
    rather than reading the current value and returning blindly.
    SELECT
    CASE
    WHEN (expire_time > CURRENT_TIMESTAMP(0)) AND ((attributes->>'expire_postlogin')::int != 0)
    THEN (CURRENT_TIMESTAMP(0) + ((attributes->>'expire_postlogin')::text||' minutes')::interval) 
    ELSE expire_time::timestamp
    END AS guest_account_expiry,
    CASE
    WHEN (expire_time > CURRENT_TIMESTAMP(0)) AND ((attributes->>'expire_postlogin')::int = 0)
    THEN extract(epoch FROM (expire_time - CURRENT_TIMESTAMP(0)))::int
    WHEN (expire_time > CURRENT_TIMESTAMP(0)) AND ((attributes->>'expire_postlogin')::int != 0)
    THEN extract(epoch FROM ((CURRENT_TIMESTAMP(0) + ((attributes->>'expire_postlogin')::text||' minutes')::interval) - CURRENT_TIMESTAMP(0)))::int
    ELSE 0
    END AS guest_remaining_expiration
    FROM tips_guest_users
    WHERE ((guest_type = 'USER') AND (user_id = '%{Authentication:Username}') AND (app_name != 'Onboard'));
    - guest_account_expiry: GuestAccountExpiry, Date-Time
    - guest_remaining_expiration: RemainingExpiration-User, Integer
    ******
    [Guest User Repository]
    New filter "Custom-RemainingExpiration-Endpoint" to return the time remaining until expiration for a guest account based on Endpoint:Username
    SELECT 
           CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER) 
                ELSE 0
           END AS remaining_expiration, expire_time::timestamp AS expire_time_endpoint
    FROM tips_guest_users           
    WHERE ((guest_type = 'USER')
    AND (user_id = '%{Endpoint:Username}')
    AND (app_name != 'Onboard'))
    - remaining_expiration: RemainingExpiration-Endpoint, Integer
    - expire_time_endpoint: ExpireTime-Endpoint, Date-Time


    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: clearpass active session restriction

    Posted Nov 05, 2024 01:59 PM

    thanks for getting back Carson,

    quick question.

    As this process relies on RADIUS accounting and Interim accounting.

    1. what if the concurrent user (someone using the same account details on another device) is not active ? cheers Pete



  • 4.  RE: clearpass active session restriction

    Posted Nov 05, 2024 02:07 PM

    What about it?  If your concurrent session limit is 2, that account is allowed two sessions (two devices connected).  If they attempt a third, that will be denied.  If they disconnect a device and the session is marked as stopped, then they can connect a different device.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: clearpass active session restriction

    Posted Nov 05, 2024 02:37 PM

    hi Carson,

    i'm afriad i explained the problem incorrectly.

    i'll start agin.

    we have a customer who is giving students access via their AD credentials.

    so we set up a guest portal backed off to AD. (the customer said they didn't want them to use PEAP MSCHAPv2)

    The customer has said they don't want the students sharing their account name credentials with other students.

    so what i want to do is ensure that only one device per account.

    cheers

    peter




  • 6.  RE: clearpass active session restriction

    Posted Nov 05, 2024 02:46 PM

    Ah.  Yeah, that's not going to go very well considering randomized MAC address implementations.  If they used the unique device count, part of the base implementation when you use the wizard to create the services, then they would be resetting things daily as the MAC addresses changed.

    They can restrict access to a single concurrent device, let everyone know that a single device is all they are allowed, and go from there.

    Or they can go with a managed solution like Onboard.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 7.  RE: clearpass active session restriction

    Posted Nov 05, 2024 03:10 PM

    we've been through Onboard with the customer but they wanted something a bit simpler to implement.

    good point about randomized MAC and i have told the customer that as a pre-requisite the students MUST turn this off.

    So on that basis how would my enforcement profile look ?

    do i still use Insight?




  • 8.  RE: clearpass active session restriction

    Posted Nov 05, 2024 03:40 PM

    Assuming you're talking about the concurrent sessions:

    • Use a role mapping.  You could do the test in the enforcement policy, but that gets messy.
    • You test current number of sessions against whatever limit is set, dynamic or static.
    • The query is against the Insight database, so yes, Insight is required.

    Students won't turn off MAC randomization.  Take that as a given.  Depending on where you are, mandating that is probably a violation of privacy requirements.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------