Frequent Contributor II

Clearpass User and Device custom limit -- October-MHC


I need to bypass bandwith enforcment limit applied for Nas because some guests need to be "unlimited".


I've two services, one for mac-auth and one for radius-auth

(in this tutorial I skip web-auth rules)



Normally my guests are created from self service portal login and they have different bandwith restriction depending on the nas where they are connecting.


Now some customers want that some users become "power users" and skip the bandwith limit I set on various nap's services.


1) Custom Role_ID

The fist step is adding the Role_Id column in guest account manager and modifing this filed in the users we want to elect as "unlimited".




One we've done this, we have to clean up the endpoint associated to this user

(we can go under config -- identity -- endpoint and use a filter like "attribute contains username containg 338").


2) Radius-Auth

Now we can try a new logon.

The first service match will be mac-auth but now the endpoint doens't exist, so next rule will be match - Radius Auth.



As you can see from previous image, the mapping feature will set the role "UtentiSenzaLimiti" because the guest roleid is = 2 and the enforcment profile will update the endpoint id as we can see in next image.

endpoint update.JPG


3) MAC-Auth

So now also mac-auth will work (next the mac-auth detail).




4) Debug

If I make some login test, I can see in logs that all is working as expected.


Radius Debug


 Mac-Auth Debug



Andrea Consadori
ACMP 5.0 and 6.3

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: