Introduction- This is suitable for use cases where we want to restrict license usage. License usage would be restricted to 1 license per user.
Please note that this is not similar to simultaneous session restriction with number of devices set to 1.With simultaneous session restriction set to 1 if you disconnect the 1st device you can connect a different device, but with this logic you can only connect a single device for a period of time and any other device trying to authenticate with that username would be denied.
Environment- This article has been implemented and tested in ClearPass version 6.4.4
Configuration Steps- We are making use of Insight repository to get this to work. Make sure we have insight enabled on the specific node or any 1 node if the ClearPass servers are in cluster.
You can enable Insight under Administration>>ServerManager>>Server Configuration>>Click on the node where you want Insight Enabled>> Enable Insight(Check Box)
Please find the screenshot below to Enable Insight
We need to create a new filter in the Insight authentication source. You can navigate to Configuration>>Authentication>>Sources>>Choose [Insight Repository]
Once we choose Insight Repository we need to add a new filter under Attributes>>Add more filters as seen in the screenshot
Once we click on add more filters we would have a field called Filter Query where we need to put in the SQL query that implements the logic.
select
CASE
WHEN mac ='%{Connection:Client-Mac-Address-NoDelim}' THEN 'true'
WHEN mac IS NULL THEN 'true'
ELSE 'false'
END as Device_Allowed
from auth where username='%{Authentication:Username}' and error_code=0 and timestamp between (now() - interval '12 hours') and now() order by timestamp limit 1;
In this SQL query the Device_Allowed is the attribute that tells us if the device is allowed on the network. We need to configure a condition for the value of Device-Allowed which is the alias for Device_Allowed, if its false we need to deny the device. The Interval configured determines the period for which we are allowing only a single device.
The logic here is that we will retrieve the first authentication in the past 12 hours and we verify if the current client MAC address is equal to the MAC address of the first device that connected successfully in the past 12 hours.If its a different MAC address we deny the user authentication.
The Data type we are fetching in this case is Boolean. For an invalid user the Device-Allowed value is false and that is the condition we should be using in our policy as shown in the screenshot
We would deny any user that satisfies the above condition. This rule needs to be at the top in our Enforcement policy.
Answer- If we configure these steps in our service we can make sure that only a single device is allowed per user for a period of 12 hours be it in a 802.1x authentication or Guest authentication. Please note that the time period if configurable in the authentication source configuration.
Verification- If we have a user trying to connect with a different device with his username within 12 hours we would see that the Device-Allowed would be 'false' and the user would be denied based on our configuration.
Please find the screenshots taken during testing below
The user would be denied access based on our policy
