Security

Reply
Highlighted
Frequent Contributor I

How to disconnect Users at a specified time?

Hey everybody,

 

we are using CPPM 6.4 with the Guest module.

 

I want to disconnect guest users at a specified time using CoA or Radius Session-Timeout.

 

One customer wants to have specified time ranges for their guest users.

I already updated the service so they can only login in the specified time, but of course don't get disconnected when the end time is reached.

 

The biggest problem is that we have different guest roles with different time ranges.

Would it be possible to disconnect a users with a specific user role at 10pm for example?

 

The users shall not expire! They will be able to reconnect again at the next day in the specified time range.

 

The authentication is using captive portal.

The NAS device is a IAP.

 

 

Regards,


Sven - AMFX #35

Accepted Solutions
Highlighted
Moderator

Re: How to disconnect Users at a specified time?

You would need to use the time source as an authorization source and calculate the difference between the authentication time and 10 PM and then return that amount of time as a session timeout.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Frequent Contributor I

Re: How to disconnect Users at a specified time?

 

This required some PostgreSQL knowledge but I have a running solution now :)

 

Step 1: Add TimeSource as Authorization Source

 

Step 2: Add Filter to TimeSource 

select (extract(epoch from date(CURRENT_DATE) + time '22:30' - now()))::int as Until2300;

 

Step 3: Enforcement Profile with Session-Timeout

Radius:IETFSession-Timeout=%{Authorization:[Time Source]:Until2300}

 

 

Thanks


Sven - AMFX #35

View solution in original post


All Replies
Highlighted
Moderator

Re: How to disconnect Users at a specified time?

You would need to use the time source as an authorization source and calculate the difference between the authentication time and 10 PM and then return that amount of time as a session timeout.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Frequent Contributor I

Re: How to disconnect Users at a specified time?

 

This required some PostgreSQL knowledge but I have a running solution now :)

 

Step 1: Add TimeSource as Authorization Source

 

Step 2: Add Filter to TimeSource 

select (extract(epoch from date(CURRENT_DATE) + time '22:30' - now()))::int as Until2300;

 

Step 3: Enforcement Profile with Session-Timeout

Radius:IETFSession-Timeout=%{Authorization:[Time Source]:Until2300}

 

 

Thanks


Sven - AMFX #35

View solution in original post

Highlighted
Aruba Employee

Re: How to disconnect Users at a specified time?

hello guy


 

 

I need deploy the solution mencionated, 

I follow: 

Step 1: Add TimeSource as Authorization Source

 

Step 2: Add Filter to TimeSource 

select (extract(epoch from date(CURRENT_DATE) + time '22:30' - now()))::int as Until2300;

 

Step 3: Enforcement Profile with Session-Timeout

Radius:IETFSession-Timeout=%{Authorization:[Time Source]:Until2300}

 Step 4: Apply to a enforcement.

 

conection its working but the desconection at 1700 doesnt happen, maybe Im missing some steps. attach you can find some screenshoots of my configs.

 

Many Thanks



Highlighted
MVP Expert

Re: How to disconnect Users at a specified time?

Do you have accounting enabled ? In ClearPass and the NAD
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Aruba Employee

Re: How to disconnect Users at a specified time?

hello,

Thanks for you quick reply

I had configured on controller:
- RFC 3576 Server (ip of my CPPM).
- RADIUS accounting server on AAA profile of captive portal (ip of my CPPM).
- RADIUS intering accounting on AAA profile.

 

over CPPM :
- I think the accounting its enable because I can see the active sessions and can see "online" status form a sigle user in access tracker, but its not possible terminate the session--- image attached.

v