That's going to restrict the maximum number of unique endpoints that can be tagged with that specific username. Important to note that behavior as it requires manual intervention or clean up of an inactive endpoint entry for any other device to be used by that user.
If the goal is a maximum of two concurrent connected devices for that user, then you need to use queries against Insight to retrieve the number of currently active sessions and allow/disallow based on that value.
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-PreAuth-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings for Application/WebAuth where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND LEFT(ssid,LENGTH('%{Application:WebLoginURL:essid}')) = '%{Application:WebLoginURL:essid}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-PreAuth-User, Integer
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-User, Integer
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-Endpoint" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Endpoint:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Endpoint:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-Endpoint, Integer
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: Jun 10, 2025 11:42 AM
From: zemerick1
Subject: How to Configure 802.1X with AD Authentication and Per-User Device Limits in Aruba CPPM?
You can't restrict it on the first authN attempt as CPPM doesn't know anything about the client. However, when the client authenticates you can send back the Endpoint Username attribute with the value of the username used as shown below. This will get added to every Endpoint that the user authenticates from. CPPM will tabulate it automatically.
Then all that is required is the rule that you used in your post.. FYI less than 2 is going to match on 1. So, you can't use that. Use GREATER THAN OR EQUAL to 2
------------------------------
ACEX #137
Original Message:
Sent: Jun 10, 2025 11:35 AM
From: shen
Subject: How to Configure 802.1X with AD Authentication and Per-User Device Limits in Aruba CPPM?
I'm not very familiar with CPPM configuration.
I set the Enforcement policy to Authorization:[Endpoints Repository]:Unique-Device-Count less than 2,
but if the device hasn't been authenticated before, there is no count in the Endpoints Repository.
How should I set this up?
Original Message:
Sent: Jun 10, 2025 11:06 AM
From: zemerick1
Subject: How to Configure 802.1X with AD Authentication and Per-User Device Limits in Aruba CPPM?
You need to update the endpoint with the username after a successful authentication. Then you can utilize the Authorization:[Endpoints Repository]:Unique-Device-Count attribute to set your desired device count. The Endpoint Repository needs to be selected as an authZ source in your service.
------------------------------
ACEX #137
Original Message:
Sent: Jun 10, 2025 10:33 AM
From: shen
Subject: How to Configure 802.1X with AD Authentication and Per-User Device Limits in Aruba CPPM?
I want to configure 802.1X in Aruba CPPM with authentication through Active Directory, and I also want to limit each user to connecting only two devices. However, I haven't been able to get this feature working. What is the best way to achieve this?
Request Details Summary -
Session Identifier: R00000021-01-68483b67
Date and Time: Jun 10, 2025 22:04:23 CST
Username: shen
End-Host Identifier:
Access Device IP/Port:
Access Device Name: 172.16.11.10
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT
Policies Used -
Service: 802.1x 802.1X Wireless
Authentication Method: EAP-PEAP
Authentication Source: AD:
Authorization Source: [Guest User Repository], [Guest Device Repository], [Insight Repository], kk.com
Roles: [User Authenticated]
Enforcement Profiles: [Update Endpoint Known], _Guest Auth MAC Caching MAC Caching Session Limit, kk-test Guest MAC Caching, kk-802.1x 802.1X Wireless Profile1, [Allow Access Profile]
Service Monitor Mode: Disabled
Input RADIUS Attributes -
Radius:Aruba:Aruba-AP-Group = OA
Radius:Aruba:Aruba-Essid-Name = LAB
Radius:Aruba:Aruba-Location-Id = 505
Radius:IETF:Called-Station-Id =
Radius:IETF:Calling-Station-Id =
Radius:IETF:Framed-MTU = 1100
Radius:IETF:NAS-Identifier = 172.16.11.10
Radius:IETF:NAS-IP-Address = 172.16.11.10
Radius:IETF:NAS-Port = 0
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 2
Radius:IETF:User-Name = shen
Input Computed Attributes -
Authentication:ErrorCode = 0
Authentication:Full-Username = shen
Authentication:MacAuth = NotApplicable
Authentication:NetBIOS-Name = kk
Authentication:OuterMethod = EAP-PEAP
Authentication:Posture = Unknown
Authentication:Source = kk.com
Authentication:Status = User
Authentication:Username = shen
Authorization:Sources = [Guest User Repository], [Guest Device Repository], [Insight Repository], kk.com
Connection:AP-Name = kk_OA-505
Connection:Client-Mac-Address =
Connection:Client-Mac-Address-Colon =
Connection:Client-Mac-Address-Dot =
Connection:Client-Mac-Address-Hyphen =
Connection:Client-Mac-Address-NoDelim =
Connection:Client-Mac-Address-Upper-Hyphen =
Connection:Client-Mac-Vendor = TP-Link Corporation Limited
Connection:Dest-IP-Address = 172.16.11.200
Connection:Dest-Port = 1812
Connection:NAD-IP-Address = 172.16.11.10
Connection:Protocol = RADIUS
Connection:Src-IP-Address = 172.16.11.10
Connection:Src-Port = 37351
Connection:SSID = LAB
Date:Date-Time = 2025-06-10 22:04:23
Endpoint:Guest Role ID = %{GuestUser:Role ID}
Endpoint:MAC-Auth Expiry = %{Authorization:[Guest User Repository]:ExpireTime}
Endpoint:Username = shen
Input Authorization Attributes -
Authorization:kk.com:Account Expires = 9223372036854775807 [30828-09-14 10:48:05 CST]
Authorization:kk.com:groupName = Administrators, Remote Desktop Users
Output RADIUS Attributes -
Endpoint:Guest Role ID = %{GuestUser:Role ID}
Endpoint:MAC-Auth Expiry = %{Authorization:[Guest User Repository]:ExpireTime}
Endpoint:Username = shen
Post-Auth-Check:Action = Disconnect and Block Access
Radius:Aruba:Aruba-User-Role = all
Session-Check:Active-Session-Count = %{GuestUser:simultaneous_use}
Status-Update:Endpoint = Known
Alerts -
Error Code: 0
Error Category: Success
Error Message: Success
Alerts for this Request -
Policy server: Failed to get value for attributes=[ExpireTime]