Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass add cumulative usage to user attribute

This thread has been viewed 2 times

  • 1.  Clearpass add cumulative usage to user attribute

    Posted May 29, 2018 03:17 PM

    Hi,

     

    for a potential customer I'm looking for a way to limit a single user with multiple devices to a max amount of download bandwidth (say 200MB) 

    Authentication needs to be WPA Enterprise so I cannot use the guest user repository. Max download bandwidth needs to be cumulative for al devices and be reset at midnight (easy part :) ) and a user is not allowed to go past his daily quota so  I cannot use the endpoint repository and accounting is reset with every new session.

     

    So I was thinking about adding an attribute called usage to the local user but I cannot figure out how I can use this in an enforcement profile so I can update this attribute in en post authentication enforcement (usage = %{localuser:usage}+accounting usage) but I cannot find a enforcement profile type to do this (or even create the attribute first time the user logs on. 

     

    PoC will be configured 30/5/2018 (I know it's short day) and the Aruba SE's involved are all saying it's theoretically possible but I cannot find any input here or on Arubapedia on how to do this. There's a thread from mpgioia: http://community.arubanetworks.com/t5/Security/CPPM-Local-User-DB-Attribute-Designation-Enforcement-Profile/m-p/267109#M26021 Unfortunately there's no explenation on how to do the SQL filter query on new attributes and he got around using the attribute in the enforcement policy, not the enforcement profile.

     

    I will start setting up the PoC with regular Guest User and Regular onboarding because the requested functionality more or less exists by default. Hopefully I can get some usefull info during the day to add.

     

    Thanks, Erik



  • 2.  RE: Clearpass add cumulative usage to user attribute

    Posted May 29, 2018 08:31 PM

    You need to create a new SQL authentication source pointing to insightdb. For this source, authorization source will be insight repository, so make sure insight in enabled on the CPPM node. I am not good in writing SQL queries but did below for a customer to allow them (each mac address) 2 hours access in 7 days time:

    1. select case WHEN sum (duration) > 7200 THEN 'true' ELSE 'false' END from radius_acct where start_time BETWEEN date_trunc('days', now()) and date_trunc('days', now() + interval '7 days' ) AND calling_station_id = lower('%{Connection:Client-Mac-Address-NoDelim}') and ssid = 'XXX';
    2. select (7200 - sum (duration)) as remaining_time from radius_acct where start_time BETWEEN date_trunc('days', now()) and date_trunc('days', now() + interval '7 days' ) AND calling_station_id = lower('%{Connection:Client-Mac-Address-NoDelim}') and ssid = 'XXX';

     

    This will probably give you an idea how to proceed.



  • 3.  RE: Clearpass add cumulative usage to user attribute

    Posted May 29, 2018 08:38 PM

    Adding screenshots..



  • 4.  RE: Clearpass add cumulative usage to user attribute

    Posted May 30, 2018 04:32 AM

    Hi JayBee,

     

    thanks for this. Unfortunately I cannot find any documentation on how to collect usage. You wouldn't know what to replace (duration) with, by any chance? 

    Time is very well documented when used in SQL queries omn Insight in Clearpass. Everything else is quite difficult to find.

     

    Rgds, Erik