Question: How can I restrict the number of sessions per user on the controller?
Product and Software: This article applies to all ArubaOS versions.
By default, every user role created on the Aruba controller has the maximum sessions set to 65535.#show rights testDerived Role = 'test'Up BW:No Limit Down BW:No LimitL2TP Pool = default-l2tp-poolPPTP Pool = default-pptp-poolPeriodic reauthentication: DisabledACL Number = 48/0Max Sessions = 65535access-list List----------------Position Name Location-------- ---- --------1 allowallallowall--------Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------1 any any any permit Low 4Expired Policies (due to time constraints) = 0Max Sessions is the maximum number of sessions that a user can have on the controller at a time. Max Sessions can be a concern especially on guest networks, which are typically configured as open system. An attacker can start a DOS attack on the controller by initiating continuous sessions on well-known ports (such as, http port 80). The maximum number of sessions that are allowed is 65535, so nothing can stop the attacker from starting this attack. As a result, the controller datapath can spike to high utilization values and can cause issues for valid clients connecting to the network.
Therefore, Aruba recommends that the maximum sessions under the user role be restricted to a reasonable value (such as 200). Any sessions that exceed this number are dropped and are not processed by the controller.Configuration(acws-ads-19) (config-role) #user-role test(acws-ads-19) (config-role) #max-sessions ?<0..65535> Session Count(acws-ads-19) (config-role) #max-sessions 200(acws-ads-19) #show rights testDerived Role = 'test'Up BW:No Limit Down BW:No LimitL2TP Pool = default-l2tp-poolPPTP Pool = default-pptp-poolPeriodic reauthentication: DisabledACL Number = 48/0Max Sessions = 200access-list List----------------Position Name Location-------- ---- --------1 allowallallowall--------Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------1 any any any permit Low 4Expired Policies (due to time constraints) = 0
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.