Security

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

thanks for getting back Carson,

quick question.

As this process relies on RADIUS accounting and Interim accounting.

1. what if the concurrent user (someone using the same account details on another device) is not active ? cheers Pete

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

What about it?  If your concurrent session limit is 2, that account is allowed two sessions (two devices connected).  If they attempt a third, that will be denied.  If they disconnect a device and the session is marked as stopped, then they can connect a different device.

thanks for getting back Carson,

quick question.

As this process relies on RADIUS accounting and Interim accounting.

1. what if the concurrent user (someone using the same account details on another device) is not active ? cheers Pete

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

hi Carson,

i'm afriad i explained the problem incorrectly.

i'll start agin.

we have a customer who is giving students access via their AD credentials.

so we set up a guest portal backed off to AD. (the customer said they didn't want them to use PEAP MSCHAPv2)

The customer has said they don't want the students sharing their account name credentials with other students.

so what i want to do is ensure that only one device per account.

cheers

peter

What about it?  If your concurrent session limit is 2, that account is allowed two sessions (two devices connected).  If they attempt a third, that will be denied.  If they disconnect a device and the session is marked as stopped, then they can connect a different device.

thanks for getting back Carson,

quick question.

As this process relies on RADIUS accounting and Interim accounting.

1. what if the concurrent user (someone using the same account details on another device) is not active ? cheers Pete

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Ah.  Yeah, that's not going to go very well considering randomized MAC address implementations.  If they used the unique device count, part of the base implementation when you use the wizard to create the services, then they would be resetting things daily as the MAC addresses changed.

They can restrict access to a single concurrent device, let everyone know that a single device is all they are allowed, and go from there.

Or they can go with a managed solution like Onboard.

hi Carson,

i'm afriad i explained the problem incorrectly.

i'll start agin.

we have a customer who is giving students access via their AD credentials.

so we set up a guest portal backed off to AD. (the customer said they didn't want them to use PEAP MSCHAPv2)

The customer has said they don't want the students sharing their account name credentials with other students.

so what i want to do is ensure that only one device per account.

cheers

peter

What about it?  If your concurrent session limit is 2, that account is allowed two sessions (two devices connected).  If they attempt a third, that will be denied.  If they disconnect a device and the session is marked as stopped, then they can connect a different device.

thanks for getting back Carson,

quick question.

As this process relies on RADIUS accounting and Interim accounting.

1. what if the concurrent user (someone using the same account details on another device) is not active ? cheers Pete

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

we've been through Onboard with the customer but they wanted something a bit simpler to implement.

good point about randomized MAC and i have told the customer that as a pre-requisite the students MUST turn this off.

So on that basis how would my enforcement profile look ?

do i still use Insight?

Ah.  Yeah, that's not going to go very well considering randomized MAC address implementations.  If they used the unique device count, part of the base implementation when you use the wizard to create the services, then they would be resetting things daily as the MAC addresses changed.

They can restrict access to a single concurrent device, let everyone know that a single device is all they are allowed, and go from there.

Or they can go with a managed solution like Onboard.

hi Carson,

i'm afriad i explained the problem incorrectly.

i'll start agin.

we have a customer who is giving students access via their AD credentials.

so we set up a guest portal backed off to AD. (the customer said they didn't want them to use PEAP MSCHAPv2)

The customer has said they don't want the students sharing their account name credentials with other students.

so what i want to do is ensure that only one device per account.

cheers

peter

What about it?  If your concurrent session limit is 2, that account is allowed two sessions (two devices connected).  If they attempt a third, that will be denied.  If they disconnect a device and the session is marked as stopped, then they can connect a different device.

thanks for getting back Carson,

quick question.

As this process relies on RADIUS accounting and Interim accounting.

1. what if the concurrent user (someone using the same account details on another device) is not active ? cheers Pete

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Dear @chulcher,

sorry to ask, are you add or edit this script on insight repository with your script sir ?

and are you write your rule enforcement like this one ?

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Those queries get added as new filters for the Insight repository.  I prefer to write a role assignment that determines too many sessions are being used and then have an enforcement rule that denies access based on that role.  That way I have a known and specific reason for the session to be denied rather than having to interpret what is missing from the session.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 05:07 AM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

sorry to ask, are you add or edit this script on insight repository with your script sir ?

and are you write your rule enforcement like this one ?

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Nov 05, 2024 12:58 PM
From: chulcher
Subject: clearpass active session restriction

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 05, 2024 12:20 PM
From: peter.elms
Subject: clearpass active session restriction

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Dear @chulcher,

thanks for your response,

is this how you do it sir ?

and after i'm apply it as rule, i got rejected, and got message like this one

thankyou

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Apr 21, 2025 09:26 AM
From: chulcher
Subject: clearpass active session restriction

Those queries get added as new filters for the Insight repository.  I prefer to write a role assignment that determines too many sessions are being used and then have an enforcement rule that denies access based on that role.  That way I have a known and specific reason for the session to be denied rather than having to interpret what is missing from the session.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 05:07 AM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

sorry to ask, are you add or edit this script on insight repository with your script sir ?

and are you write your rule enforcement like this one ?

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Nov 05, 2024 12:58 PM
From: chulcher
Subject: clearpass active session restriction

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 05, 2024 12:20 PM
From: peter.elms
Subject: clearpass active session restriction

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Are you attempting that check for an Application or WebLogin service?  That query is meant primarily to be used with a pre-auth service for validating session count during a captive portal flow.  If you're attempting the check against a RADIUS auth then you'll want to use one of the other queries, either User (username is provided) or Endpoint (MAC auth for captive portal caching) depending on what stage you are in.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 11:21 PM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

thanks for your response,

is this how you do it sir ?

and after i'm apply it as rule, i got rejected, and got message like this one

thankyou

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Apr 21, 2025 09:26 AM
From: chulcher
Subject: clearpass active session restriction

Those queries get added as new filters for the Insight repository.  I prefer to write a role assignment that determines too many sessions are being used and then have an enforcement rule that denies access based on that role.  That way I have a known and specific reason for the session to be denied rather than having to interpret what is missing from the session.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 05:07 AM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

sorry to ask, are you add or edit this script on insight repository with your script sir ?

and are you write your rule enforcement like this one ?

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Nov 05, 2024 12:58 PM
From: chulcher
Subject: clearpass active session restriction

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 05, 2024 12:20 PM
From: peter.elms
Subject: clearpass active session restriction

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

Dear @chulcher

sorry, i mean I need it for radius authentication,

for now, i could login with these new filter, thanks,

i'm restrict just 2 device that could connect to network, and when i try to connect the third device, its successfully blocked,

but when i try to log out 1st device and waiting for 10 minutes, with 2nd device still connected, i could connect with 3rd and 1st device again to network, while 2nd device still connected to network, so for now, active session count 1st and 2nd device have same status count,

any suggestions sir ?

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Apr 22, 2025 02:03 AM
From: chulcher
Subject: clearpass active session restriction

Are you attempting that check for an Application or WebLogin service?  That query is meant primarily to be used with a pre-auth service for validating session count during a captive portal flow.  If you're attempting the check against a RADIUS auth then you'll want to use one of the other queries, either User (username is provided) or Endpoint (MAC auth for captive portal caching) depending on what stage you are in.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 11:21 PM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

thanks for your response,

is this how you do it sir ?

and after i'm apply it as rule, i got rejected, and got message like this one

thankyou

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Apr 21, 2025 09:26 AM
From: chulcher
Subject: clearpass active session restriction

Those queries get added as new filters for the Insight repository.  I prefer to write a role assignment that determines too many sessions are being used and then have an enforcement rule that denies access based on that role.  That way I have a known and specific reason for the session to be denied rather than having to interpret what is missing from the session.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 05:07 AM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

sorry to ask, are you add or edit this script on insight repository with your script sir ?

and are you write your rule enforcement like this one ?

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Nov 05, 2024 12:58 PM
From: chulcher
Subject: clearpass active session restriction

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 05, 2024 12:20 PM
From: peter.elms
Subject: clearpass active session restriction

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete

You'll need to share more of the information from the access tracker for the first device reconnecting to have an idea of what happened, along with the logic configured to determine the number of allowed devices.  The query is dependent on the accounting information being correct, you can definitely manage to get multiple devices online if you attempt to connect them all at the same time and the query is working with data that is stale.

Dear @chulcher

sorry, i mean I need it for radius authentication,

for now, i could login with these new filter, thanks,

i'm restrict just 2 device that could connect to network, and when i try to connect the third device, its successfully blocked,

but when i try to log out 1st device and waiting for 10 minutes, with 2nd device still connected, i could connect with 3rd and 1st device again to network, while 2nd device still connected to network, so for now, active session count 1st and 2nd device have same status count,

any suggestions sir ?

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Apr 22, 2025 02:03 AM
From: chulcher
Subject: clearpass active session restriction

Are you attempting that check for an Application or WebLogin service?  That query is meant primarily to be used with a pre-auth service for validating session count during a captive portal flow.  If you're attempting the check against a RADIUS auth then you'll want to use one of the other queries, either User (username is provided) or Endpoint (MAC auth for captive portal caching) depending on what stage you are in.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 11:21 PM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

thanks for your response,

is this how you do it sir ?

and after i'm apply it as rule, i got rejected, and got message like this one

thankyou

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Apr 21, 2025 09:26 AM
From: chulcher
Subject: clearpass active session restriction

Those queries get added as new filters for the Insight repository.  I prefer to write a role assignment that determines too many sessions are being used and then have an enforcement rule that denies access based on that role.  That way I have a known and specific reason for the session to be denied rather than having to interpret what is missing from the session.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Apr 21, 2025 05:07 AM
From: hudaya1991
Subject: clearpass active session restriction

Dear @chulcher,

sorry to ask, are you add or edit this script on insight repository with your script sir ?

and are you write your rule enforcement like this one ?

------------------------------
Regards,

Hudaya

ACCP, ATP, ACP-CA

Original Message:
Sent: Nov 05, 2024 12:58 PM
From: chulcher
Subject: clearpass active session restriction

Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value.  I should write this all up some day as a full solution, but here are the queries I use.  Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.

Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 05, 2024 12:20 PM
From: peter.elms
Subject: clearpass active session restriction

hi Airheads,

just wondered what the recommended way for restricting access to guest users to one device is?

i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository

and i'd like to block access if another device tries to use the same account details

i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)

Do you have to use Insight or is there a simpler way?

cheers

Pete