Security

Reply
Contributor I

Re: Limit number of connections per AD user for specific Role

I have RFC3576 active on both the IAP and Clearpass/Radius server.

 

I'm sure it's something simple that I'm missing or have in the wrong spot but I can still connect two devices.

Contributor I

Re: Limit number of connections per AD user for specific Role


@cappalli wrote:
(INSTANT-VC1)(SSID Profile secure1)# radius-accounting
(INSTANT-VC1)(SSID Profile secure1)# radius-accounting-mode {user-authentication| user
association}
(INSTANT-VC1)(SSID Profile secure1)# radius-interim-accounting-interval <minutes>

 


When looking at my WIFI Profile in the CLI, I see I'm missing the "radius-accounting-mode".  What should I be using, user-authentication or user-association?

 

 

Guru Elite

Re: Limit number of connections per AD user for specific Role

Authentication






Sent from Windows Mail

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Limit number of connections per AD user for specific Role

How does the de-auth work?  I have all the settings that have been mentioned in this post done and there are still mutliple connections from the same user.

 

 

Guru Elite

Re: Limit number of connections per AD user for specific Role

Are you able to manually disconnect a device? Please try this: Connect with your device, then go to Access Tracker and find the latest authentication request and open it. Click the "Change Status" button at the bottom, make sure it says Aruba Terminate Session. It should tell you if the action was successful.

 

change-status.png

 

coa-type.png


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: Limit number of connections per AD user for specific Role

I'll check first thing tomorrow morning, I've already gone home and there aren't any live connections I can "test" with lol
Contributor I

Re: Limit number of connections per AD user for specific Role

Radius [Aruba Terminate Session] successful for client 94ebcd19ecb9

 

 

So it seems that works.  It disconnected my BB10 device and then the device reconnected instantly while my Android device was already connected.

Contributor II

Re: Limit number of connections per AD user for specific Role

Hi all, just to update this thread, I was working with the OP and we finally got this working.

 

We set up the policy & profile as follows, and are now able to connect with one device only, using username / password auth.  I think what was missing before was that the Endpoint wasn’t being updated with the AD username, the way it would with Guest authentication.

 

I’ll try to sum it up here:

 

Enforcement Policy.png

 

In the screenshot above, you can see I have two rules in the Enforcement Policy, in this cased based on my UserDN (just to ensure the rule hits during testing.  Obviously for the customer, the rule condition will be based on TIPS:Role or something other than a static UserDN).  The first rule is where we check the Unique-Device-Count.  More than 1 device gets the Deny Access profile.

The next rule is where we set the user role, and update the endpoint.  Rather than setting it known, or trying to cache the MAC address, the “Update Endpoint” profile simply adds the AD username to the endpoint.

 

The profiles look like this:

 

Wireless Trust Profile.png

 

Update Endpoint Profile.png

 

I tested this with various devices, and it always works.  The first device authenticates properly, and the next one is rejected like this:

access tracker.png

 

Hope this helps someone else!

 

 

Highlighted
Occasional Contributor I

Re: Limit number of connections per AD user for specific Role

Hi mpoulin.

Thanks for your post.

I tried to repeat your configuration for accounts from Clearpass guest and accounts from AD.
But I connect multiple devices and the rule does not match and the connection is not denyed.

(Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN  1) [Deny Access Profile] 
Advise please where can be my mistake?

Contributor II

Re: Limit number of connections per AD user for specific Role

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: