How to limit ClearPass guest concurrent/simultaneous sessions?


This article is about restricting guest user concurrent sessions using insight database.



  • Insight should be enabled on at least one node in the cluster.
  • Accounting should be enabled with interim update in the network devices(NAS).
  • Interim accounting should be logged in the ClearPass nodes as shown below.



Guest user active device count can be retrieved from insight database with the help of below query.

select count(distinct calling_station_id) as active_sessions from radius_acct where end_time is null and username = '%{Authentication:Username}' and calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}' and updated_at > now() - interval '1 hour'


Note: This article is focused on finding the guest active devices on the network and restrict access when the limit is exceeded. Complete guest configuration is out of scope here, please visit the link below for ClearPass Guest integration or search our community for guest implementation queries. 




1. Add the above query in the authentication source "[Insight Repository]" under Configuration >> Authentication >> Sources >> [Insight Repository] >> Attributes as shown below.


2. Map [Insight Repository] as authorization source in guest user authentication service and add the rule as shown below in the enforcement policy to restrict the guest user active session as required.

Note: Authorization tab may not be visible in the service if it is not enabled under the Service tab.


In the above rule the guest user concurrent devices limit is restricted to three devices.


Please find the below screen capture confirming three active session for the user "".


Access Tracker >> Input >> Authorization Attributes will also reflect the active_session count.


The fourth client that tries to connect using the same account is denied access as per the policy.


Version history
Revision #:
2 of 2
Last update:
‎07-25-2017 09:44 AM
Updated by:
Labels (1)

Good Morning,


I have followed this guide but I still can not get it working, at first I thought it was my CPPM so I reinstalled it twice. And I have this to questions I hope you could help me.


How do I execute this line:

Accounting should be enabled with interim update in the network devices(NAS).


And do you have any Ideas why the counter: Authorization:[Insight Repository]:active_sessions is always in 0.



I have the same issue, active_sessions is always 0.


How can I check this?




I would recommend you to open a Tac case.


This is their answer on my problem:


Please find the summary of the session:


  • As issue reported, the users running concurrent sessions are not getting disconnected.
  • Upon verifying the configuration and comparing the Access Tracker entries, it was found that the Active Session was not getting updated.
  • Logged in to the Insight DB from shell and checked the table and compared the query.
  • Query was correct, but was still not getting an output.
  • Broke down the query and tried one column at a time and found that the username with separators “\” are causing the problem.
  • When we use separator “\” in the query, it doesn’t take that value, instead it takes the complete username and which is why it was failing to get the correct output.
  • I modified the query and added “<domainname>\\%{authentication:username}”
  • Tested the same and it worked. The users trying to initiate multiple sessions are getting rejected.

You might use double \\ for the postgress DB to acknowledge the sepratation.



Antonio Z.

Can I use the same example to limit TACACS user sessions? I would like allow only 1 session to manager a device from a devive group.


Search Airheads
Showing results for 
Search instead for 
Did you mean: