Security

I'm strugling a bit with enabling quotas for my guest users.

 

I need to enanble a daily limit of lets say 100MB for accounts that need to remain valid for a month. So basically a users that has used up 100MB should idealy be presented with a captive portal explaining he has used up his qouta.

 

For this I've configured a service with a Bandwidth Limit enforcement profile.

This diconnects the user and changes him back to the logon role but nothing is stopping the user from just logging back on again and continuing the downloads. After some time (related to the User Interim stats frequency on the controller?) he wil get kicked off again but he can just repeat this indefinitly.

 

Idealy I would also be able to configure mac authentication in there but that seems to mess up the disconnect completely. Using MAC auth, even with the same bandwidht limit enforcement profile, when authenticated using MAC-auth users do not get disconnected at all. Even after downloading over 5 times the allowed quota over twice the 5 mins I set as User Interim stats frequency.

If I then manualy disconnect the user I do see a reauthentication using MAC-auth so it does appear my RFC 3576 does appear to be configured correctly. Offcourse using the disconnect the user is reconnecting immediatly.

 

So, can anybody explain me..

1) how to actualy disable a user account / device untill the daily limit resets

2) why using MAC-auth this seems to fail completely?

There is no quick answer to this.

 

Without seeing your Services, both Guest Authentication and the MAC Cache, it is rather hard to give any advice.

 

Needless to say this can get rather complicated as it is not natively built into the system.

 

For example

1) To control subsequent connections from a device that has exceeded its limits it is likely best to set a new Endpoint:<attribute> which can be tested at each connection - use the "ClearPass Entity Update Enforcement" within Profiles

 

2) We need to understand how this account will be handled once it has exceeded - blocked, if so how long

 

3) On subsequent connections the #1 attribute should come into play

 

4) Following on from 2) how do you want to expire the account to allow subsequent connections?

 

5) Using CoA Disconnect with an AOS Open SSID causes a Disassociate - this can be very detrimental to user experience if they have another "available" SSID

Better to look at using CoA with FilterID (where this matches the AOS's User-Role) as this seamlessly changes the role. However, I believe this uses the "Lazy Poller" and could by default take up to 5 mins to kick in...

 

Regards Derin

 

 

Well, there nothing special in either service.

 

I just need to allow daily access for up to 100MB. After that, the user should be blocked untill a new day starts.

All I have now is a bog default service where I push the bandwidth enforcement profile  for guestusers, cache the mac and then push the bandwidth profile again when that mac-auth. 

 

20 Ideally the account should remain "active" (not deleted) for a month but when they exceed the daily bandwidth limit. , it should be disabled untill the next day.

 

How do you see the attribute then? How can I reset it each and every day?

 

From what I understand I cdo not have a choice to do a CoA with filterID with the bandwidth limit enforcement profile. The only option I appear to have within that is disconnect.

 

We're talking about a satelite link so I'm sure we could live with the 5 minutes delay. They won't be able to download much in that time anyway. The main point is getting the bandwidth limit enforced and then reset every day without being too much of a hassle for the users.

 

Nobody that has a working bandwidth / quota control implementation and some advice? :smileysad:

Well I have confirmed the same issue, the download limit does not work, at least with a MAC auth'd service. My clients was able to go well past the download limit even though RADIUS accounting messages were being received and updated.

 

I have to disagree with anyone that says this is complex - this is old RADIUS functionality that has been around almost 20 years, it was very important back in the 56k dialup days!

We got this fixed in the end as well.. took some time back and forth with support but we got there.

  

The solution went something like this:

Add the Blacklist user repository as an authorization source in your service. Then add inside this blacklist source an extra variable (sql query) to pull time info relative to time.

 

 

I will admit the procedure could use some coding attention to make it more straightforward but untill then just get TAC to help you reach your goals. They have sofar always managed to help me with my sometimes weird requests.

 

 

Andrea and koenv,

 

You posted different solutions to the same problem, which one is correct/recommended by Aruba? I am having no luck with my support case so far.

 

rgds,

Ben

I have tried adding the blacklist repository as both authentication and authorization sources and neither had an effect.

 

There is just no response to the limit being exceeded even when the accounting logs clearly show it.

 

Couple things.

 

#1 make sure your COA is working......

 

#2 You need to make sure your enforcement uses the limits. If you use the service templates it should automatically add the bandwidth quota and disconnect when the user hits the limit.

 

 

You can also use the blacklisted as an authorization, but you need to add a rule to the enforcement.

 

 

HI Tarnold.

 

Both already checked and working. 

 

Whilst no action is no taken by ClearPass I did actually find a log in access tracker which showed something. One of the tabs showed that the enforcement profile had been triggered (under RADIUS output?), but again we saw no evidence of a CoA action or a disconnect.

 

At this stage I would just like to reproduce a working config from another user.

I'm with the same problem, could you take some screenshots of your solution?

 

Kind regards,

Thomas Willems

I'm also curious about this solution. After the user exceeds the limit, they are blacklisted. This is expected-- but no CoA is being sent. So part of the enforcement profiles are working, but the disconnect is never happening.

 

I have confirmed that CoA is not the issue. I can disconnect the user manually using Access Tracker.

The only difference from the other folks is that I'm using an Open SSID with Open SSID accounting enabled.

Please work with TAC. Also keep in mind that the Disconnect function is a Disconnect Message, not a CoA.

That does not line up with documentation here https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Enforce/EPSession_Restrictions.htm

Just FYI if you weren't aware.

Unfortunate that I need to involve TAC in something that is canned within CPPM, and documented.

If something is not working in your environment, TAC can help diagnose. That's why they're there.

Regarding the link, I'll get that fixed. Just a minor oversight on a term.

Thanks!

Can you at least confirm the config is correct? I should only need to have the post_auth attributes set? ..it's just not working for whatever reason?

Yes, at quick glance, they look correct. You have Insight enabled, correct?

Yes. The session bandwidth limit is hitting and the user is getting blacklisted, just no disconnect. 

 

I'm using the canned Social Login service. I can CoA the user from Access Tracker. I'm not even seeing a CoA attempt in the Access Tracker, pass/fail.

 

I've attached Enforcement Policy and Profile-- Do I need to enable an authorization source? (Canned service doesn't have any authorization sources)

I don't mind calling TAC I was just sure this should have been a quick one.

It uses a Disconnect not a CoA. Can you confirm the Disconnect works from Access Tracker and you see a subsequent re-auth? (Terminate Session)

Ok. I guess I don't understand this as much as I thought. The only option I have is ArubaOS Wireless - Terminate Session (RADIUS CoA). [and bounce switchport of course]

 

It sounds like I should have other options. Screen attached.

Terminate Session is the Disconnect Message.

Oh. That's confusing.

Yeah, that works without issue.

5 Hours of TAC later. . We found that it was a bug in at least CPPM 6.7.5. Perhaps you can pass this along to the people that need to see it, Tim.

If you have a NAD device defined with an IP range. 192.168.199.10-13 in my case. CPPM cannot identify the vendor ID even though it's selected in the Network Device properties. So, CPPM never sends the disconnect request.

 

To rectify, create individual entries for each NAD. In my case that was the two VRRP addresses of the controllers.

EDIT: I wanted to be clear that the disconnect from Access Tracker worked fine-- Just not a post auth disconnect via an enforcement profile prior to the change.

Hello friends.

 

My case is quite similar to yours.  We have CPPM 6.7.5 with User and MAC AUTH. After the user exceeds his bandwidth he is disconnected (COA) and entered into the BLACKLIST.

 

The problem is that after adding the blacklist as an authentication method and creating the role mapping (authen source = blacklist repository --> deny), all users are denied access,  even if they are not inside the blacklist repository.

 

Can someone recommend me some way to improve this.  You will be eternally grateful.

set an authorization source as blacklist repos, set a role mapping for blacklisted users, then in the enf policy. If tips role = "blacklisted" then deny.

Thanks for your prompt response.

 

I think we did it and not work.  We configure it as the attached image in ROLE MAPPING and in the ENFORCEMENT POLICY we add TIPS - ROLE-EQUALS-OTHERS ---> DENY ACCESS.

 

Another recommendation.

If you're acting on the particular role based on that particular authorization source. . I dont see how it could be denying all users.

Yes, Im pretty confused and doing tests to see how to solve it.

 

You can help me quith another query, what time a user lasts inside the blacklist and if I can modify that value in the CPPM.

 

And again thanks for everything.

hi,

i get it working but actually i've open a post about how to remove the blacklisted user.

 

so:

 

1- you will have

 

 

2- in the auth tab of web login page you will put blacklist user repository before guest user repository

 

3- you will have radius and mac-auth service in witch you will have enforcment profile.

 

---- how it will works ----

 

you've a 30days enforcment profile that say if bandwith or session limit exceeded "disconnect & block" (this will put the user in blacklist)

 

users cannot recconnect because you also put the blacklist repo in web page login

 

you will have a POST_Auth enforcment like this (my is a daily limit)

 

Session-Check          Allowed-Duration = 2

Session-Check          Duration-Units = Hours

Session-Check          Check-Type = Daily

Post-Auth-Check       Action = Disconnect and Block Access

Hello,
my name is Andrea, and i have the same issue... i don't know how to refresh the limit every day.
you have find a solution?

 

best regards

thanks in advance

 

Andrea

Ps. are you italian like me?

 

Hi,

yes i'm italian like you and i still have an open ticket with the support...

Hi,

now all is working as expected:

 

enforcment limit put the dailiy limit and if expired users will be put in the blacklist until more than 24hours.

 

i open a ticket to support and now i know that the blacklisted user is removed during the cleanup interval if blacklisted for more than 24 hours...

 

so if a user is blacklisted at 8.00 am today you expected that tomorrow at 9.00 will be removed but the cleanup interval runs on night so will ne removed tomorrow night.