Security

Hi,

There a different little company in same place, I have one CPPM, one controler wifi aruba and one AD for all.

Actually, PEAP-MSCHAP is use for authenticate company (group of person) (same account for several person, i know it's not secure but it's special request of my customer)

my customer ask me, if with CPPPM, it is possibel to check the number of device for one access account.

example : 

person1, person2, person3 etc ... use the same credential : company1/pwd for access to the wifi network with each of their devices.

He want to limit the number of device exemple 5 device/day  for company1, this information of maximum will get in a fiel of AD (exemple : description)

I think we must to use the endpoind base and a condition for the enforcement mapping policy, but i'm know sure, Do you have any ideas to help me ?

Regards

Yann 

You'll need to enable RADIUS accounting on your controller and also be sure that Insight is running.

Make sure the endpoints repository and insight are listed as an authorization source.

You can then use the following in your enforcment to check:

Authorization:[Endpoints Repository]:Unique-Device-Count     GREATER_THAN   X

Hi Cappalli,

I tried to do this but it's doesn't work, in the "acces traker" the value "Unique-Device-Count", never increments.What is the definition of "Unique-Device-Count" ?

I find a post this post : http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Concurrent-connections-limit/td-p/72154
I will try this, I think that better meets my need.

regards

Yann

Me too, now I have no solution for this case :(

You need to update the authentication username to the endpoint/MAC-address after the successful authentication for the "Unique-Device-Count" to work/increment.

The below sample enforcement will help you with the endpoint username update.

If your requirement is to restrict concurrent sessions, then I would recommend you to follow the below article.

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-deny-access-for-authentication-request-based-on-session/ta-p/183304

Use the below query, instead of the one in the article. You can also change the interval in the query as required.

select count(distinct calling_station_id) as active_sessions from radius_acct where end_time is null and username = '%{Authentication:Username}' and calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}' and updated_at > now() - interval '1 hour';

Notes: 

• Radius accounting should be enabled on Controller >> ClearPass.
• Insight should be enabled on ClearPass and mapped as authorization source in the service.

Last post & Insight DB filter is really useful to limit simultaneous devices logged in with same AD user. I add a little modification in order to validate this only for a specific SSID, in case people use other WLAN with same AD credentials for other purposes, new filter, assuming "simultaneo" is the SSID name is like this: (in boldt the added part for this filter)

select count(distinct calling_station_id) as active_sessions from radius_acct where end_time is null and username = '%{Authentication:Username}' and calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}' and updated_at > now() - interval '1 hour' and 'simultaneo' = '%{Connection:SSID}';

I hope this would be useful, Regards!