Security

Reply
Contributor I

Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Hello,

is it possible to use different enforcement policys over the same service?

I have a service role mapping with nas_id and I need two diffrent policys in this service.

In the service settings I just can add one fixed enforcement policy.

Do I need for all diffrent enforcement mappings one service?

 

Second thing, can someone explain me why there was always a re-auth?

Attached file.

 

Thank you

 

 

Guru Elite

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

What conditions are different between the two groups of users/devices that you want to test for?

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

enforcement profile session limit should be diffrent. User A 5 sessions User B 20 sessions.

 

Thank you

Guru Elite

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

You create two different radius Enforcement Profiles:  One that sends one session limit, and another one that sends a different session limit.  Then you create a radius enforcement policy that looks for a username and sends a specific limit and another line that looks for a different username and sends a different limit:

 

sessiona.png


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

I try this with authentication username but the enforcement is not listed after login with the user.

I just solved it now with an new service for this username an add the policy there directly.

Thnak you very much for reply.

 

Regards,

 

Marco

Contributor II

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

You can simply make it in one service by,makeing Role tagging for the 2 diffrent users for example :

 

User X--Role-->10 Session

User Y--Role-->15 Session

 

after map the roles after that In enforcment policy add the Condition Rules:

 

Tips-->Role-->Equal-->10 Session----take action which is Enforment profile of 10 session

Tips-->Role-->Equal-->15 Session----take action which is Enforment profile of 15 session

 

Try this it will work

 

 

Islam Zidan │ Professional Services Engineer | ACCP,ACMP,ACEAP,AWMP,CWSP,CWDP,CWNA,CCNP,HP ASE ,MCITP
If you Found My Post Helping you kindly Give KUDOS and if it solved your question Kindly hit Accept as a solution box.
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

I try but doesn´t work:

 

Role for unlimited Logins:

(Radius:IETF:User-Name  EQUALS  booking)

FOR THE OTHER ROLES I MAP ROLE_ID BUT WHERE IS THE ROLE ID FOR MY NEW ROLE?

[Booking]

 

Enforcement:

(Tips:Role  EQUALS  [Booking])Mobile Session Limit - unlimited Active

Access Tracker:

Service:
Mobile
Authentication Method:
EAP-PEAP,EAP-MSCHAPv2
Authentication Source:
Local:localhost
Authorization Source:
[Guest User Repository]
Roles:
[Guest], [Mobile], [User Authenticated]
 
WHERE IS THE ROLE Booking?
Endpoint:Usernamebooking
Expire-Time-Update:GuestUser0
Expiry-Check:Expiry-Action0
Post-Auth-Check:ActionDisconnect
Post-Auth-Check:ActionDisconnect and Block Access
Radius:IETF:Session-Timeout0
Session-Check:Active-Session-Count5
Guru Elite

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Looks like your enforcement isnt configured to return a role.


Thanks,
Tim

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

This is my enforcement policie:

 

 
Name:
Guest Access Policy MOBILE
Description:
Enforcement policy for standard mobile access features
Enforcement Type:
RADIUS
Default Profile:
[Deny Access Profile]

 

Rules Evaluation Algorithm:
First applicable
 ConditionsActions
1.(Tips:Role  EQUALS  [Booking])Mobile Session Limit - unlimited Active
2.(Tips:Role  EQUALS  [Mobile])Mobile Session Limit - 5 Active
3.(Tips:Role  NOT_EQUALS  [Mobile])[Deny Access Profile]

I think the problem is that my username booking not map to the role Booking, isn´t it?

Guru Elite

Re: Enforcement Policy for different Users over the same Service / Accounting / re-authentication

Looks like the role mapping is working but you don't have any RADIUS enforcement profile either or the rules.


Thanks,
Tim

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: