Security

Reply
Highlighted
Contributor I

Limit number of connections per AD user for specific Role

Hello,

 

I have a bunch of IAP-105 Access Points connecting to Clearpass 6.2.5 for authentication/role mapping that has been working well for me.  I'm using Active Directory machine name to authenticate employee machines and it's working but lately I've had to add another role for Contractors.  This role since they don't have an AD PC but they do have an AD Username, I've setup authentication for the user account but the problem is, they can sign into the WIFI from many machines (including mobile devices).  I want to limit them to a single connection, all other attempts get dropped.

 

I've did some searching and found a couple threads about this same thing but I couldn't get any of the responses to work for me.  Can I get a little help please?  I'm learning Aruba devices on my own so I'm limited to what I know about them.  Here are a couple screenshots of my Service (I know the Roles page looks messy, but it's because we have multiple domains and multiple operating companies in each domain so each operating company has their own groups). 

 

Any help would be greatly appreciated.

 

Chris

 

 

Capture.JPG

Capture1.JPG

Capture2.JPG

 

Capture3.JPG

Capture4.JPG

Capture5.JPG


Accepted Solutions
Highlighted
Contributor II

Re: Limit number of connections per AD user for specific Role

Hi all, just to update this thread, I was working with the OP and we finally got this working.

 

We set up the policy & profile as follows, and are now able to connect with one device only, using username / password auth.  I think what was missing before was that the Endpoint wasn’t being updated with the AD username, the way it would with Guest authentication.

 

I’ll try to sum it up here:

 

Enforcement Policy.png

 

In the screenshot above, you can see I have two rules in the Enforcement Policy, in this cased based on my UserDN (just to ensure the rule hits during testing.  Obviously for the customer, the rule condition will be based on TIPS:Role or something other than a static UserDN).  The first rule is where we check the Unique-Device-Count.  More than 1 device gets the Deny Access profile.

The next rule is where we set the user role, and update the endpoint.  Rather than setting it known, or trying to cache the MAC address, the “Update Endpoint” profile simply adds the AD username to the endpoint.

 

The profiles look like this:

 

Wireless Trust Profile.png

 

Update Endpoint Profile.png

 

I tested this with various devices, and it always works.  The first device authenticates properly, and the next one is rejected like this:

access tracker.png

 

Hope this helps someone else!

 

 

View solution in original post


All Replies
Highlighted
Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

To use active-session-count,  I think you need to make sure you have radius interem accounting setup as well as INSIGHT turned on Clearpass.

Highlighted
Moderator

Re: Limit number of connections per AD user for specific Role

Also be aware that turning up interim accounting for all your networks can
increase load on ClearPass.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor I

Re: Limit number of connections per AD user for specific Role

I have the checkbox for "Enable Insight on this server" checked and also have "Log Accounting
Interim-Update Packets
" set to True.

 

Any other suggestions?

 

Thanks!

Highlighted
Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

In the Live_Monitoring>Accounting page do you see accounting records?  I ask because there are also settings on the controller itself that would need to be enabled to make Interim Accounitng work.  

Highlighted
Contributor I

Re: Limit number of connections per AD user for specific Role

No, there is no records being produced.

 

These APs are the Instant APs which have the controller built in. 

I'm not using a stand alone controller as I was told I didn't need one.

 

Is there somewhere on the IAP-105s I have to turn accounting on then?

Highlighted
Contributor I

Re: Limit number of connections per AD user for specific Role

Ok, so I found where to turn accounting on and it's now logging to the Accounting page...but I'm still able to sign into multiple devices with the same user account.

Highlighted
Moderator

Re: Limit number of connections per AD user for specific Role

(INSTANT-VC1)(SSID Profile secure1)# radius-accounting
(INSTANT-VC1)(SSID Profile secure1)# radius-accounting-mode {user-authentication| user
association}
(INSTANT-VC1)(SSID Profile secure1)# radius-interim-accounting-interval <minutes>

 



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

I do not have  a ton of XP on IAPs but from the command line you should be able to 

 

wlan ssid-profile <profile-name>  

radius-accounting enable

radius-interim-accounting-interval 10 

 

set the accounting interval to whatever minutes you need the user to check in at, careful because to many re-auths can really put load on your Clearpass box

 

Highlighted
Frequent Contributor II

Re: Limit number of connections per AD user for specific Role

In order to de-auth a user after authentication, I believe you must have RFC3576 server configured.  This is a setting on the IAP as well as under Network>Devices>  Enable RADIUS CoA on the Clearpass box

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: