Students won't turn off MAC randomization. Take that as a given. Depending on where you are, mandating that is probably a violation of privacy requirements.
Original Message:
Sent: Nov 05, 2024 03:10 PM
From: peter.elms
Subject: clearpass active session restriction
we've been through Onboard with the customer but they wanted something a bit simpler to implement.
good point about randomized MAC and i have told the customer that as a pre-requisite the students MUST turn this off.
So on that basis how would my enforcement profile look ?
do i still use Insight?
Original Message:
Sent: Nov 05, 2024 02:45 PM
From: chulcher
Subject: clearpass active session restriction
Ah. Yeah, that's not going to go very well considering randomized MAC address implementations. If they used the unique device count, part of the base implementation when you use the wizard to create the services, then they would be resetting things daily as the MAC addresses changed.
They can restrict access to a single concurrent device, let everyone know that a single device is all they are allowed, and go from there.
Or they can go with a managed solution like Onboard.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 05, 2024 02:37 PM
From: peter.elms
Subject: clearpass active session restriction
hi Carson,
i'm afriad i explained the problem incorrectly.
i'll start agin.
we have a customer who is giving students access via their AD credentials.
so we set up a guest portal backed off to AD. (the customer said they didn't want them to use PEAP MSCHAPv2)
The customer has said they don't want the students sharing their account name credentials with other students.
so what i want to do is ensure that only one device per account.
cheers
peter
Original Message:
Sent: Nov 05, 2024 02:07 PM
From: chulcher
Subject: clearpass active session restriction
What about it? If your concurrent session limit is 2, that account is allowed two sessions (two devices connected). If they attempt a third, that will be denied. If they disconnect a device and the session is marked as stopped, then they can connect a different device.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 05, 2024 01:59 PM
From: peter.elms
Subject: clearpass active session restriction
thanks for getting back Carson,
quick question.
As this process relies on RADIUS accounting and Interim accounting.
- what if the concurrent user (someone using the same account details on another device) is not active ? cheers Pete
Original Message:
Sent: Nov 05, 2024 12:58 PM
From: chulcher
Subject: clearpass active session restriction
Insight is required as you'll want to count the number of current sessions and then disallow new connections based on that value. I should write this all up some day as a full solution, but here are the queries I use. Note, you'll have to enable interim accounting on the NAS with an interval of 10 minutes or less.
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-PreAuth-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings for Application/WebAuth where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND LEFT(ssid,LENGTH('%{Application:WebLoginURL:essid}')) = '%{Application:WebLoginURL:essid}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-PreAuth-User, Integer
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-User, Integer
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-Endpoint" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Endpoint:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Endpoint:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-Endpoint, Integer
Bonus pieces: grab the simultaneous_use field from the relevant user account and figure out the remaining session time based on guest account expiration.
******
[Guest User Repository]
New filter "Custom-SimultaneousUse-User" to return the simultaneous_use attribute based on Authentication:Username
SELECT tgu.attributes ->>'simultaneous_use' AS simultaneous_use_user
FROM tips_guest_users as tgu
WHERE ((tgu.guest_type = 'USER')
AND (tgu.user_id = '%{Authentication:Username}')
AND (app_name != 'Onboard'))
- simultaneous_use_user: SimultaneousUse-User, Integer
******
[Guest User Repository]
New filter "Custom-SimultaneousUse-Endpoint" to return the simultaneous_use attribute based on Endpoint:Username
SELECT tgu.attributes ->>'simultaneous_use' AS simultaneous_use_endpoint
FROM tips_guest_users as tgu
WHERE ((tgu.guest_type = 'USER')
AND (tgu.user_id = '%{Endpoint:Username}')
AND (app_name != 'Onboard'))
- simultaneous_use_endpoint: SimultaneousUse-Endpoint, Integer
******
[Guest User Repository]
New filter "Custom-RemainingExpiration-User" to return the account expiration timestamp and time remaining until expiration for a guest account.
This accounts for Account Lifetime (expire_postlogin) when calculating the account expiration time and remaining time,
rather than reading the current value and returning blindly.
SELECT
CASE
WHEN (expire_time > CURRENT_TIMESTAMP(0)) AND ((attributes->>'expire_postlogin')::int != 0)
THEN (CURRENT_TIMESTAMP(0) + ((attributes->>'expire_postlogin')::text||' minutes')::interval)
ELSE expire_time::timestamp
END AS guest_account_expiry,
CASE
WHEN (expire_time > CURRENT_TIMESTAMP(0)) AND ((attributes->>'expire_postlogin')::int = 0)
THEN extract(epoch FROM (expire_time - CURRENT_TIMESTAMP(0)))::int
WHEN (expire_time > CURRENT_TIMESTAMP(0)) AND ((attributes->>'expire_postlogin')::int != 0)
THEN extract(epoch FROM ((CURRENT_TIMESTAMP(0) + ((attributes->>'expire_postlogin')::text||' minutes')::interval) - CURRENT_TIMESTAMP(0)))::int
ELSE 0
END AS guest_remaining_expiration
FROM tips_guest_users
WHERE ((guest_type = 'USER') AND (user_id = '%{Authentication:Username}') AND (app_name != 'Onboard'));
- guest_account_expiry: GuestAccountExpiry, Date-Time
- guest_remaining_expiration: RemainingExpiration-User, Integer
******
[Guest User Repository]
New filter "Custom-RemainingExpiration-Endpoint" to return the time remaining until expiration for a guest account based on Endpoint:Username
SELECT
CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER)
ELSE 0
END AS remaining_expiration, expire_time::timestamp AS expire_time_endpoint
FROM tips_guest_users
WHERE ((guest_type = 'USER')
AND (user_id = '%{Endpoint:Username}')
AND (app_name != 'Onboard'))
- remaining_expiration: RemainingExpiration-Endpoint, Integer
- expire_time_endpoint: ExpireTime-Endpoint, Date-Time
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 05, 2024 12:20 PM
From: peter.elms
Subject: clearpass active session restriction
hi Airheads,
just wondered what the recommended way for restricting access to guest users to one device is?
i have a guest portal backed off to AD and when the user logs on with username\password i'm writing the user account to the endpoint repository
and i'd like to block access if another device tries to use the same account details
i'd like to use an enforcement profile that denies access when one more than one device is being used (one account\one device)
Do you have to use Insight or is there a simpler way?
cheers
Pete