- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Clearpass User and Device custom limit -- October-MHC
10-09-2014 11:35 PM - edited 10-10-2014 05:01 AM
Introduction:
I need to bypass bandwith enforcment limit applied for Nas because some guests need to be "unlimited".
I've two services, one for mac-auth and one for radius-auth
(in this tutorial I skip web-auth rules)
Normally my guests are created from self service portal login and they have different bandwith restriction depending on the nas where they are connecting.
Now some customers want that some users become "power users" and skip the bandwith limit I set on various nap's services.
1) Custom Role_ID
The fist step is adding the Role_Id column in guest account manager and modifing this filed in the users we want to elect as "unlimited".
One we've done this, we have to clean up the endpoint associated to this user
(we can go under config -- identity -- endpoint and use a filter like "attribute contains username containg 338").
2) Radius-Auth
Now we can try a new logon.
The first service match will be mac-auth but now the endpoint doens't exist, so next rule will be match - Radius Auth.
As you can see from previous image, the mapping feature will set the role "UtentiSenzaLimiti" because the guest roleid is = 2 and the enforcment profile will update the endpoint id as we can see in next image.
3) MAC-Auth
So now also mac-auth will work (next the mac-auth detail).
4) Debug
If I make some login test, I can see in logs that all is working as expected.
Radius Debug
Mac-Auth Debug
ACMP 5.0 and 6.3
-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator