Security

Hi Guys,

I would like to build a service under CPPM that will allow each MAC ADDRESS that self registering to login to the serive for 1 hour each 24 hours. (each day) - if the client will try to re-register on the same day with same device (MAC ADDRESS) i want cppm to reject it.

 

Anyone can advise me how to acomplish that? im stuck on this for more than a week - with no success.

i did some reading here:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Guest-MAC-Caching-Deny-Disabled-Guests/td-p/114909

 

 

Thanks in advance,

 

me

i've an open ticket on a similar config and the support is still working on it.

 

 

Also here (Also opend a TAC ticket)

What type of NAS are you doing with this? 

 

is this for an open-SSID? or a secured?

Are you wanting to DENY the user on the MAC-Check service or during a captive-portal authenticaiton?

 

 

you should be able to do this when some configurations.

What type of NAS are you doing with this?

 

Aruba Controller.

 

is this for an open-SSID? or a secured?

 

Open.

 

Are you wanting to DENY the user on the MAC-Check service or during a captive-portal authenticaiton?

 

I would like to deny the ability of user to re-use the same device(MAC)  after 30min per day. (dosent matter the username he is entering or creating )

 

you should be able to do this when some configurations.

 

i hope so..but so far im stuck. :( :(

OK so this is mostly theory so no screenshots but try the following......

 

Self registration page creates accounts with a logon lifetime of 1 hour.

Amend the Clearpass service so that upon successful logon (after the self registration) the Endpoint entry is updated (in an Enforcement profile) with an attribute to say they have used their quota. (You would need to add this attribute under the Administration -> Dictionaries -> Attributes section for the Endpoint entity).

The Clearpass service which allows the login is amended to check that the attribute doesn't exist before allowing access. If it does exist you know the MAC address has been used previously and is rejected.

You would then need to amend the Cleanup intervals for known/unknown Endpoints (depending on whether you make them known or not) to 1 day so that they are cleared overnight allowing the same MAC to create an account the next day.

 

There is probably a floor to this so let us know if this doesn't fit the model.

Such An odd request.. Don't know what sector your company is in. So you basically only want to give a device access for 30min per day (resets at midnight) after user completes a captive portal form?

So if I'm correct you should be able to use the insight database for this.

I apologize for not having the exact info in here I'll try to post exact tomorrow.

You should be able to use the logon count variable > 1 and then use insight mins since auth less than 30.

I'm not sure how strick you want to be but you might need some enforcement policy's that dynamically update time left.

Might need some more custom code if this isn't quite what your looking for.

If you want to use bw limit other than time limit take care of the following

There is bug already opened for the issue “CoA not triggered for users reaching the BW limit” and issue is going to fix in 6.3.2 as per the engineering update. Bug number for your reference is 23058