Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Contributor I

Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Hello,

is it possible to use different enforcement policys over the same service?

I have a service role mapping with nas_id and I need two diffrent policys in this service.

In the service settings I just can add one fixed enforcement policy.

Do I need for all diffrent enforcement mappings one service?

 

Second thing, can someone explain me why there was always a re-auth?

Attached file.

 

Thank you

 

 


Accepted Solutions
Highlighted
Guru Elite

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

You create two different radius Enforcement Profiles:  One that sends one session limit, and another one that sends a different session limit.  Then you create a radius enforcement policy that looks for a username and sends a specific limit and another line that looks for a different username and sends a different limit:

 

sessiona.png


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post

Highlighted
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

I try this with authentication username but the enforcement is not listed after login with the user.

I just solved it now with an new service for this username an add the policy there directly.

Thnak you very much for reply.

 

Regards,

 

Marco

View solution in original post


All Replies
Highlighted
Guru Elite

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

What conditions are different between the two groups of users/devices that you want to test for?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

enforcement profile session limit should be diffrent. User A 5 sessions User B 20 sessions.

 

Thank you

Highlighted
Guru Elite

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

You create two different radius Enforcement Profiles:  One that sends one session limit, and another one that sends a different session limit.  Then you create a radius enforcement policy that looks for a username and sends a specific limit and another line that looks for a different username and sends a different limit:

 

sessiona.png


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post

Highlighted
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

I try this with authentication username but the enforcement is not listed after login with the user.

I just solved it now with an new service for this username an add the policy there directly.

Thnak you very much for reply.

 

Regards,

 

Marco

View solution in original post

Highlighted
Contributor II

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

You can simply make it in one service by,makeing Role tagging for the 2 diffrent users for example :

 

User X--Role-->10 Session

User Y--Role-->15 Session

 

after map the roles after that In enforcment policy add the Condition Rules:

 

Tips-->Role-->Equal-->10 Session----take action which is Enforment profile of 10 session

Tips-->Role-->Equal-->15 Session----take action which is Enforment profile of 15 session

 

Try this it will work

 

 

AMFX#86 |ACMX | ACCX |ACDX | ACI |HPECI| ACEAP | CWSP | CWDP | CWNA | CCNP |HP ASE | MCITP
If you Found My Post Helping you kindly Give KUDOS and if it solved your question Kindly hit Accept as a solution box.
Highlighted
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

I try but doesn´t work:

 

Role for unlimited Logins:

(Radius:IETF:User-Name  EQUALS  booking)

FOR THE OTHER ROLES I MAP ROLE_ID BUT WHERE IS THE ROLE ID FOR MY NEW ROLE?

[Booking]

 

Enforcement:

(Tips:Role  EQUALS  [Booking])Mobile Session Limit - unlimited Active

Access Tracker:

Service:
Mobile
Authentication Method:
EAP-PEAP,EAP-MSCHAPv2
Authentication Source:
Local:localhost
Authorization Source:
[Guest User Repository]
Roles:
[Guest], [Mobile], [User Authenticated]
 
WHERE IS THE ROLE Booking?
Endpoint:Usernamebooking
Expire-Time-Update:GuestUser0
Expiry-Check:Expiry-Action0
Post-Auth-Check:ActionDisconnect
Post-Auth-Check:ActionDisconnect and Block Access
Radius:IETF:Session-Timeout0
Session-Check:Active-Session-Count5
Highlighted
Moderator

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Looks like your enforcement isnt configured to return a role.


Thanks,
Tim


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

This is my enforcement policie:

 

 
Name:
Guest Access Policy MOBILE
Description:
Enforcement policy for standard mobile access features
Enforcement Type:
RADIUS
Default Profile:
[Deny Access Profile]

 

Rules Evaluation Algorithm:
First applicable
 ConditionsActions
1.(Tips:Role  EQUALS  [Booking])Mobile Session Limit - unlimited Active
2.(Tips:Role  EQUALS  [Mobile])Mobile Session Limit - 5 Active
3.(Tips:Role  NOT_EQUALS  [Mobile])[Deny Access Profile]

I think the problem is that my username booking not map to the role Booking, isn´t it?

Highlighted
Moderator

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Looks like the role mapping is working but you don't have any RADIUS enforcement profile either or the rules.


Thanks,
Tim


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: