Security

We are using our Amigopods to provide Internet access to our guests.  Our complimentary Internet access requires the guest to accept an AUP to gain access.  Our paid access requires the guest/meeting to have an access code that is generated by someone in our tech support group.  

We have implemented the "Auto Create MAC Auth Account" using the Aruba tech document for both classes of service.  For the free folks, I have the MAC accounts set to expire each day at 2AM.  This way the guests must accept the AUP at least once per day, but don't have to accept it multiple times per day if their session expires on the controller.  For the paid access, I have the MAC accounts set to expire at the same time as the master access code.  So, if they purchase Internet access for 2 days, the master access code account expires after 2 days, as do the MAC accounts.  This has all been working very well.  

One limitation of this setup is that the session limit only applies to the access code, not the created MAC accounts.  So, if I create an access code with a session limit set to 75 connections, such as TEST75, the 75 session  limit will be only enforced when they login the first time using the access code.  Then, throughout the day as the devices go to sleep/turn off and get disconnected from the controller for more than 5 minutes, they will start using the MAC accounts to authenticate.  At this point, we aren't really enforcing the 75 user limit because the individual MAC accounts have no concept of the 75 session limit.  Is there some way to have the best of both worlds -- MAC authentication and enforce the number of simultaneous connections?

Thanks,

Bryan

It sounds like you are trying to enforce a limit of 75 maximum connections across all MAC authenticated devices.  Is that correct?

We're trying to enforce a session limit of "x" (including the related MAC accounts) depending on what session limit is defined in the user account (access code) -- which varies by each access code.  If we setup a code, TESTUSER2, with a session limit of 30, we'd like them to be limited to only be able to generate 30 MAC accounts, or limit them to 30 max simultaneous sessions (including MAC accounts and logins using TESTUSER2) -- whichever is more do-able

We're using the "old" auto create MAC account radius code.  Since we set this up, the "new" Tech Note came out.  We tested this, but the limit of paired devices tied to a single user account is a fixed value (below it is 2).  I wonder if we could use the session limit variable from the user account and feed it into the (  $MAX_MAC_ACCOUNTS = x )   where x would be the variable session limit set on the particular access code/user account, such as 30 for the account I created above, TESTUSER2.

($MAX_MAC_ACCOUNTS = 2)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'sponsor_name' => strtolower(GetAttr('User-Name')),
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1    

Maybe something like the following would work - change highlighted.  (Adjust field name as you like.)

($MAX_MAC_ACCOUNTS = isset($user['mac_account_limit']) ? $user['mac_account_limit'] : 2)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'sponsor_name' => strtolower(GetAttr('User-Name')),
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1