Security

Hello,

We just implemented a new Aruba wifi solution. Clearpass policy manager is used for radius for some SSID's and we have a specific SSID configured at a Clearpass policy manager service.

One of the networks we deploy is an Aruba 802.1x Wireless network, that just checks if the Active Directory user is member from a specfic (AD) group. This network is used for employees that are able to connect with their mobile device. Now i need a way to restrict access to only 1 concurrent connections/session for one group users and 2 concurrent connections/sessions to another group.

I did found some information about the rules I can use in the role mapping rules, but i can't find a way to limit the max concurrent connections. I'm not sure if this is the right way to configure this or that i need some service rules or other settings.

Any help is appriciated.

Regards,
Roland

You can define this under the user-role , maximum tcp sessions 0-65365

---

@roland123 wrote:

Hello,

We just implemented a new Aruba wifi solution. Clearpass policy manager is used for radius for some SSID's and we have a specific SSID configured at a Clearpass policy manager service.

One of the networks we deploy is an Aruba 802.1x Wireless network, that just checks if the Active Directory user is member from a specfic (AD) group. This network is used for employees that are able to connect with their mobile device. Now i need a way to restrict access to only 1 concurrent connections/session for one group users and 2 concurrent connections/sessions to another group.

I did found some information about the rules I can use in the role mapping rules, but i can't find a way to limit the max concurrent connections. I'm not sure if this is the right way to configure this or that i need some service rules or other settings.

Any help is appriciated.

Regards,
Roland

---

Roland,

 

You can do this through ClearPass Policy Manager with a Post-Authentication Profile.  Please review the CPPM 6.0 user guide on how to set this up.

 

Hello cjoseph,

 

I created an enforcement profile "limit max 1 session" with the attributes:

 

Type                                                            Name                                                  Value

1. Session-Check                                   Active-Session-Count                      = 1
2. Post-Auth-Check                                 Action                                                  =  Disconnect

 

I added this profile to an enforcement policy rule action. The policy conditions is:

 

Type                           Name                                                   Operator                                        Value

1. Tips                     Role                                                      EQUALS                                       My role name

And with this are 2 enforcement profiles:

[RADIUS] Profile_My-Profile
[Post Authentication] Limit max 1 session

 

 

In the radius profile there is a check for the Aruba-User-Role.

 

I also added the the Blacklist User Repository to the authentication sources at the Service that contains the above enforcement policy (as suggested in the user guide), but it doesn't seem to work, i did try to connect, disconnect and reconnect with 2 mobile devices and the AD user, but i can connect all the time when i enter the correct logon information.

 

Is there something i forget?

 

Kind regards,

Roland

Roland,

 

Do you have radius account enabled in the AAA profile of the WLAN controller?  You also need to enable interim accounting, as well.  In addition, in CPPM under server configuration, you need to have "Enable Insight on this Server" checked, as well as Log Accounting Interim-Update Packets set to True under Service Parameters> Radius Server > Accounting.

 

Helle cjoseph,

 

Radius interim accounting is enabled and there is a 802.1x Authentication server group specified to the Clearpass server. Is this enough on the controller side? Where do i need to have the radius account enabled in the AAA Profile, is this that i need to specify the clearpass server as accounting server, the same group i used for the 802.1x Authentication server group?

 

Enable Insight on this server is enabled, Log Accounting Interim-Update Packets is set to true.

 

Thanks,

Roland

 

 

 

 

Yes, you need to put the same server group for CPPM in the Radius Accounting Server group in the AAA profile. You should then be able to see radius accounting for authentication on the CPPM side.

Thank you for your patience with me :-)

 

Okay, now i see some data in the accounting monitoring. But i'm still able to just connect with my credentials from 2 devices at the same time. I'm expecting that the second connection is terminated, from the second device.

 

Do i still forget something?

Okay.  In the AAA profile on the Aruba Controller, make sure you have an RFC 3576 profile that points to CPPM (enter the same preshared key), and on the CPPM side make sure that the Aruba Controller definition has COA enabled.

 

I have the RFC 3576 Auth. server configured with the clearpass server at the controller aaa profile. And "Enable RADIUS CoA" is enabled in the CCPM config (at both aruba controller devices), but i'm still able to connect with 2 seperate devices.

 

 

Can you go to the access tracker is "Disconnect" an authenticated user to see if COA is configured properly?

 

I only see records at the access tracker for another service, but not for this one. At the accounting i do see the users that authenticate.