Security

Reply
Frequent Contributor II

Post Session Restriction Profile - Real world use case

Dear Experts, 

 

Can someone highlight the way they might be using post session restriction profiles? can i use it to restrict bandwidth usage by a 802.1x client? 

Highlighted
MVP Guru

Re: Post Session Restriction Profile - Real world use case

This is more typically used on guest networks and an enforcement profile is included in the guest service wizard.

 

What exactly are you aiming to do here? Block access once a user has exceeded a certain amount of data?


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Frequent Contributor II

Re: Post Session Restriction Profile - Real world use case

Dear James,

 

Yes, but for 802.1x users. Is it possible to restrict them so that they are not able to download/upload more than 10Gb of data per 24 hours. 

Frequent Contributor II

Re: Post Session Restriction Profile - Real world use case

Ok i did some testing on my own and it seems to be working. Attached snapshot is my profile. Also attached is the snap of CoA sent.

As defined in the action its either disconnect or disconnect and block access. In both cases, Aruba terminate session was fired. Can we change this behavior? like if i want to change the role/vlan of the user exceeding their bandwidth quota? where i can do this modification?

 

MVP Guru

Re: Post Session Restriction Profile - Real world use case

You could try adding the [Blacklist user repository] as an authorization source, do some role mapping based on a user being blacklisted, then assign a different role via your enforcement.

 

I've not tried this out myself but this is what I'd do next to try to get it working....


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Frequent Contributor II

Re: Post Session Restriction Profile - Real world use case

Yeah, i think the challenge is, post session profiles workflows are not
explained in detail. So we are not sure what we can and cannot do with post
session profiles. All the role mapping and other stuff can be done
primarily for the time of login, but if i want to monitor the state of
authenticated user (802.1x and not guest) there doesnt seem to be any
guidelines given.
Frequent Contributor II

Re: Post Session Restriction Profile - Real world use case

I can see that Aruba wireless terminate session is sent if post auth action is set to disconnect (with or without block access). Where do we modify this setting?

MVP Guru

Re: Post Session Restriction Profile - Real world use case

That's expected. The client will re-authenticate and Clearpass should see that the MAC is in the blacklist user repository and assign a different role.

 

That's how I would imagine it works if you set up your service as I previously mentioned.


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Frequent Contributor II

Re: Post Session Restriction Profile - Real world use case

how should i add the user to blacklist repository when he exceeds the quota? in post-auth-check action is only disconnect. I cannot pass on any other profile. 

 

Or am i missing something very basic here?

Frequent Contributor II

Re: Post Session Restriction Profile - Real world use case

sorry for multiple posts. When you said "do some role mapping based on a user being blacklisted" this is what i am asking, how to blacklist the user as part of post session policy?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: