How do we restrict the number of active sessions per user for 802.1x and Captive portal authentication methods?

Aruba Employee
Aruba Employee

This article explain means of restricting the active sessions per user for different authentication methods (dot1x and captive portal).


For 802.1x authentication, there is no means of restricting the active sessions per user, meaning, a user can log on to multiple client devices at the same time.


However, for captive portal authentication method, we can restrict number of active sessions per user to 1. We cannot change this number to anything else.


Environment : This article applies to all controller models and AOS versions 5.0 and higher.



  1. Navigate to Configuration> Authentication> L3 Authentication> Captive Portal Authentication
  2. Click the relevant captive portal profile
  3. Enable “Allow only one active user session” checkbox




(NS-Aruba-3200) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(NS-Aruba-3200) (config) #aaa authentication captive-portal default
(NS-Aruba-3200) (Captive Portal Authentication Profile "default") #single-session
(NS-Aruba-3200) (Captive Portal Authentication Profile "default") #end
(NS-Aruba-3200) #



(NS-Aruba-3200) #show aaa authentication captive-portal default
Captive Portal Authentication Profile "default"
Parameter                                          Value
---------                                          -----
Default Role                                       guest
Default Guest Role                                 guest
Server Group                                       default
Redirect Pause                                     10 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Disabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Disabled
Authentication Protocol                            PAP
Login page                                         /auth/index.html
Welcome page                                       /auth/welcome.html
Show Welcome Page                                  Yes
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Enabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
(NS-Aruba-3200) #


Version history
Revision #:
1 of 1
Last update:
‎07-16-2014 12:17 PM
Updated by:
Labels (1)

Is it possible to restict a user to login to only one device, using CPPM? 

restrict 802.1X device/session per user with NPS (NOT CLEARPA$$$) please.

NPS cannot provide this functionality...

hmm.. how its possible for me to restrict a dot1x username be authenticated only from one device(only the corporate laptops), not from their smart devices. provided our authentication souce is the Radius clearpass. 

You would need to utilize machine authentication and/or certs. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: