Security

Reply
Frequent Contributor I

Clearpass add cumulative usage to user attribute

Hi,

 

for a potential customer I'm looking for a way to limit a single user with multiple devices to a max amount of download bandwidth (say 200MB) 

Authentication needs to be WPA Enterprise so I cannot use the guest user repository. Max download bandwidth needs to be cumulative for al devices and be reset at midnight (easy part :) ) and a user is not allowed to go past his daily quota so  I cannot use the endpoint repository and accounting is reset with every new session.

 

So I was thinking about adding an attribute called usage to the local user but I cannot figure out how I can use this in an enforcement profile so I can update this attribute in en post authentication enforcement (usage = %{localuser:usage}+accounting usage) but I cannot find a enforcement profile type to do this (or even create the attribute first time the user logs on. 

 

PoC will be configured 30/5/2018 (I know it's short day) and the Aruba SE's involved are all saying it's theoretically possible but I cannot find any input here or on Arubapedia on how to do this. There's a thread from mpgioia: http://community.arubanetworks.com/t5/Security/CPPM-Local-User-DB-Attribute-Designation-Enforcement-Profile/m-p/267109#M26021 Unfortunately there's no explenation on how to do the SQL filter query on new attributes and he got around using the attribute in the enforcement policy, not the enforcement profile.

 

I will start setting up the PoC with regular Guest User and Regular onboarding because the requested functionality more or less exists by default. Hopefully I can get some usefull info during the day to add.

 

Thanks, Erik

ACDX#968, ACMP, ACCP
Frequent Contributor II

Re: Clearpass add cumulative usage to user attribute

You need to create a new SQL authentication source pointing to insightdb. For this source, authorization source will be insight repository, so make sure insight in enabled on the CPPM node. I am not good in writing SQL queries but did below for a customer to allow them (each mac address) 2 hours access in 7 days time:

1. select case WHEN sum (duration) > 7200 THEN 'true' ELSE 'false' END from radius_acct where start_time BETWEEN date_trunc('days', now()) and date_trunc('days', now() + interval '7 days' ) AND calling_station_id = lower('%{Connection:Client-Mac-Address-NoDelim}') and ssid = 'XXX';
2. select (7200 - sum (duration)) as remaining_time from radius_acct where start_time BETWEEN date_trunc('days', now()) and date_trunc('days', now() + interval '7 days' ) AND calling_station_id = lower('%{Connection:Client-Mac-Address-NoDelim}') and ssid = 'XXX';

 

This will probably give you an idea how to proceed.

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Frequent Contributor II

Re: Clearpass add cumulative usage to user attribute

Adding screenshots..

JayBee
ACDX | ACCX| CCIE (RnS/SP,DC) | ACCP | ACMP | ACSA | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Frequent Contributor I

Re: Clearpass add cumulative usage to user attribute

Hi JayBee,

 

thanks for this. Unfortunately I cannot find any documentation on how to collect usage. You wouldn't know what to replace (duration) with, by any chance? 

Time is very well documented when used in SQL queries omn Insight in Clearpass. Everything else is quite difficult to find.

 

Rgds, Erik

 

 

ACDX#968, ACMP, ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: