Security

last person joined: 10 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

SSID with time restrictions for waiting zones

This thread has been viewed 2 times

  • 1.  SSID with time restrictions for waiting zones

    Posted Jun 03, 2019 09:07 AM

    Hello,

     

    I have two controllers - 7205 as a cluster, a CPPM 6.7.5.1028264, as well as Airwave in use.

     

    For waiting areas, I have created a new SSID, in which the terms and conditions only need to be confirmed and access is then available.

    However, I would like to limit the following:

    1. Access for 2 hours, then closed until 24:00

    2. No streaming services like Youtube', Netflix, etc

    3. Terms and Conditions should be actively confirmed, so only after scrolling through the Terms and Conditions at the end of a button to confirm.

     

    My biggest prob is the time restriction for only 2 hours a day.

    Did somebody have a idea....thanks in advance for any help ....



  • 2.  RE: SSID with time restrictions for waiting zones

    MVP EXPERT
    Posted Jun 03, 2019 05:33 PM

    I think this can work through a session termination of 2 hours in your clearpass enforcement profile. To block specific applications you need a "webcc" licence on your wlan controllers or handle this by you WAN firewall.

     

     



  • 3.  RE: SSID with time restrictions for waiting zones

    Posted Jun 03, 2019 06:08 PM

    Hi Marcel,

     

    thank you for your answer. What do you think how the enforcement profil should look? How can I terminate those sessions after 2 hours, block their mac´s until 00:00 and then drop them?

    I have no glue how I can build this rule.......

     

    Thanks in advanced



  • 4.  RE: SSID with time restrictions for waiting zones

    MVP EXPERT
    Posted Jun 04, 2019 05:05 PM

    You can use the radius:ieft-session timeout in your enforcement profile. 

    Be sure that you COA configured correctly so clearpass can send the enforcement to the controller.

     

    You can change the attribute string value to a value in seconds, or configure your guest repository correctly :)

     

    My advise is to first test the termination manual from the accesstracker (change status and then termination). If the session terminate succesfull you have configured COA correctly, and can use the radius:ietf-session termination value in your enforcement profile.

     

    Schermafbeelding 2019-06-04 om 22.59.01.png



  • 5.  RE: SSID with time restrictions for waiting zones

    Posted Jun 05, 2019 08:31 AM

    Hi Marcel,

     

    thank you very much. It looks, that COA is not correctly configured. 

    1. Session could not be terminated by changing the status.

    2. Request detail in access tracker means failed to get value for attributes=[5].

    I have changed the value to %{authorization:[Guest User Repository]:5}

    Seems not working.

     

    best wishes 

     

     

     



  • 6.  RE: SSID with time restrictions for waiting zones

    MVP EXPERT
    Posted Jun 05, 2019 05:50 PM

    Did you configured the ClearPass servers under the RFC 3576 (COA) server settings in the AAA profile on your WLAN controller?

     

    And in clearpass under "configuration > network > devices" edit the WLAN controller NAD device to have:

    • Enable RADIUS Dynamic Authorization enabled
    • Vendor Name: Aruba

     Capture.JPG



  • 7.  RE: SSID with time restrictions for waiting zones

    Posted Jun 26, 2019 03:30 AM

    Hi Marcel,

     

    thank you very much for your example. I have checked both, the controler and the clearpass and it looks that the config is ok.

    I want to change the password, but Im not sure where I have to set it global on my 7205 controller. On your pic the config on the mobility is in every AAA-Profile???

     

    Thank you very much