Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

How can I restrict the number of sessions per user on the controller? 

Jul 07, 2014 01:13 PM

Question: How can I restrict the number of sessions per user on the controller?

 

Product and Software: This article applies to all ArubaOS versions.


By default, every user role created on the Aruba controller has the maximum sessions set to 65535.
#show rights test
Derived Role = 'test'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 48/0
Max Sessions = 65535

access-list List
----------------
Position  Name    Location
--------  ----    --------
1        allowall
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any   any         any     permit                       Low                                                    4
Expired Policies (due to time constraints) = 0

Max Sessions is the maximum number of sessions that a user can have on the controller at a time. Max Sessions can be a concern especially on guest networks, which are typically configured as open system. An attacker can start a DOS attack on the controller by initiating continuous sessions on well-known ports (such as, http port 80). The maximum number of sessions that are allowed is 65535, so nothing can stop the attacker from starting this attack. As a result, the controller datapath can spike to high utilization values and can cause issues for valid clients connecting to the network.

Therefore, Aruba recommends that the maximum sessions under the user role be restricted to a reasonable value (such as 200). Any sessions that exceed this number are dropped and are not processed by the controller.
Configuration
(acws-ads-19) (config-role) #user-role test
(acws-ads-19) (config-role) #max-sessions ?
<0..65535> Session Count
(acws-ads-19) (config-role) #max-sessions 200
(acws-ads-19) #show rights test
Derived Role = 'test'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 48/0
Max Sessions = 200

access-list List
----------------
Position  Name     Location
--------  ----     --------
1         allowall
allowall
--------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1         any    any         any     permit                      Low                                                     4
Expired Policies (due to time constraints) = 0

Statistics
0 Favorited
5 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.