Frequent Contributor I

CPPM: Service policy question about rule


I use non-Aruba NAS with Clearpass and need to limit user access as in the filed "simultaneous_use" of my guest account


My condition is trying to check %{GuestUser:session_limit} instead of fixed number like 3, but it does not seem to work


When I check INPUT data in the "access tracker" it correctly shows in authorization attributes
Authorization:[Endpoints Repository]:Unique-Device-Count    4, and in computed attributes GuestUser:simultaneous_use    2

That is my enforcement policy which does not seem to properly validate rule #1, why?   It works fine when I enter fixed number instead of %{GuestUser:session_limit}

Screen Shot 2017-02-16 at 10.47.07 AM.png



Re: CPPM: Service policy question about rule

Hmm.. Unique device count is number of devices registered in the endpoints database connected to that guest user. It is not the number of active sessions for that user.


Also - you are using session_limit instead of simultanous_use.

John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I

Re: CPPM: Service policy question about rule

That is what I want to achive compare number of devices registered with active sessions for that user so whatever is in simultanous_use for the particular guest in database is limititing that user.


I tried this and it also does not work:

 (Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN  %{GuestUser:simultanous_use})

How to do the proper rule?

Frequent Contributor I

Re: CPPM: Service policy question about rule

Let me ask like that. Can I use %{GuestUser:simultaneous_use} as a value while making condition in a policy enforcemnt?

Search Airheads
Showing results for 
Search instead for 
Did you mean: