Security

Hi

In our environment there have been requests to limit the number of devices a user can utilize on the WIFI network and also register the username of each device.

Users authenticate with AD username and password.

I have created an Enforcement profile that update the endpoint with the username. 

Endpoint Username =  %{Authentication:Username} 

This part is successful.

In the authentication service I specify a condition for the Enforcement policy 

 (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1)  [Deny Access Profile] 

This doesn't seem to work, I can access the network with multiple devices as a specific user.

Just for the test I have tried to register as a guest and the rules above works perfect if a guest user tries to authenticate twice, but not if an AD user authenticates twice.

Have I missed anything in the configuration or isn’t this possible to implement in the way we planned?

Regards

Jonas

For 802.1x, you need to use a post authentication enforcement profile that will either enforce bandwidth or simultaneous sessions.

For that you will need:

- Interim accounting enabled on your Wireless Lan Controller

- COA or change of authorization (RFC 3566) configured on your Wireless Controller and in your definition for that WLC in ClearPass

- Insight Enabled on your ClearPass Policy Manager.

The config is different than how looking for how many users have logged in for guests because it relies on current vs. historical data.

Do I understand this correct?

With 802.1x I can only limit the number of simultaneuos devices a user can connect to the network.

Not limit the user to only utilize one specific device, ie. an iPad, and block any other device the same user tries to connect anytime in the future?

One example:

The user Bob connects his iPad to the network.

Later he try to connect his iPhone, but this should not be granted access as long as the iPad is bound to his username.

Would it be possible to implement this type of solution without Onboard?

---

@jonas.hammarback wrote:

Do I understand this correct?

 

With 802.1x I can only limit the number of simultaneuos devices a user can connect to the network.

Not limit the user to only utilize one specific device, ie. an iPad, and block any other device the same user tries to connect anytime in the future?

 

One example:

The user Bob connects his iPad to the network.

Later he try to connect his iPhone, but this should not be granted access as long as the iPad is bound to his username.

 

Would it be possible to implement this type of solution without Onboard?

---

I must be having a problem understanding English.  I apologize.  I just re-read your first post.

You should be able to accomplish what you want, just like you said.  

You will want to put the endpoints repository into the Authorization Tab.  In the access tracker, under Input and Authorization attributes, it should say what the Authorization Endpoints Repository Unique device count number should be.

Ok, I see...

In the service I have checked the Auhtorization check box on the Service tab and in the new Authorization tab added the Endpoints Repository as an additional auhtorization source.

But when I authenticate I don't get the Unique device count under Authentication Attributes in the Input tab. I can only see authorization attributes from the AD.

But on the summary tab I can see that Endpoint Repository is listed as Authorization source.

After additional testing and also delete the test device from the controller session table I finally got the behavior I expected from the beginning.

The thing I actually missed in my initial configuration was to enable Authorization in the Service tab and to add the Endpoint Repository as an additional authorization source in the Authorization tab.

Thanks for your assistance

Regards Jonas

What attributes you used under the Enforcement Profiles to achieve this ?

I created an Enforcement Policy as a copy of the default policy "Guest - MAC Caching - Limit 1 Device"

Conditions  Actions
1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1)  [Deny Access Profile]
2. (Date:Day-of-Week BELONGS_TO Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, Sunday) Guest Session Timeout, Guest Bandwidth Limit, Guest Session Limit, Guest MAC Caching, [Update Endpoint Known]

Next step will be to implement different roles based on AD group membership, and allow some users to have more than one device.

Regards

Jonas

Hi, 

Could you share your implementation? (details and a diagram will help too :P)

Best regards.

Hello,

Did somebody implemented device limit in Guest? Could it explain detailed implementation?

Thankyou. 

Would anyone have the step by step to apply in the Guest network with CP, and Corporate Network with Radius?
I would be grateful for the help of the community.