Security

Hi,

Have setup Clearpass 6.6 and HP MSM wireless network. I followed the HP MSM and Clearpass v3 guide to set up a .1x wireless network with PEAP with accounts in Active Directory. (Not guest portal)

The next step is to limit users in a sertain group in AD to only be able to connect with one device.

For checking the group i can use MemberOf. For number of devices I try to use Unique-Device-Count. If it is greater than 1 then deny access.

The problem is that when I connect multiple devices with the same usernaname the Unique-Device-Count counter is allways 1 when I look in access tracker.

I searched through Airheads and found some tips to add clearpass as accounting servers in the wireless controller, enable Radius interim accounting on the wireless controller and add Endpoint Repo to authorization sources.

None of these helped.

Do you have any idea why it doesn't work?

Regards

Philip

Are you seeing devices appearing under the Accounting Tab in ClearPass?

Hi,

Do you mean under Monitoring->Live Monitoring->Accounting?

There I see the user.

Regards,

Philip

 Ok.  Are you using the method here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-deny-access-for-authentication-request-based-on-session/ta-p/183304  ?

No. I did read that guide. The problem I have is that the HP MSM controller doesn't support CoA. So post auth checks are not doable.

I would like to have the functionality to limit the number of devices on the first auth when the user/device connects.

Reading the MSM and Clearpass v3 guide I see that it is possible to use an Aruba controller as a L2-bridge. Is this the only solution to be able to get what I want?