Security

Dear Experts, 

 

Can someone highlight the way they might be using post session restriction profiles? can i use it to restrict bandwidth usage by a 802.1x client? 

This is more typically used on guest networks and an enforcement profile is included in the guest service wizard.

 

What exactly are you aiming to do here? Block access once a user has exceeded a certain amount of data?

Dear James,

 

Yes, but for 802.1x users. Is it possible to restrict them so that they are not able to download/upload more than 10Gb of data per 24 hours. 

Ok i did some testing on my own and it seems to be working. Attached snapshot is my profile. Also attached is the snap of CoA sent.

As defined in the action its either disconnect or disconnect and block access. In both cases, Aruba terminate session was fired. Can we change this behavior? like if i want to change the role/vlan of the user exceeding their bandwidth quota? where i can do this modification?

 

You could try adding the [Blacklist user repository] as an authorization source, do some role mapping based on a user being blacklisted, then assign a different role via your enforcement.

 

I've not tried this out myself but this is what I'd do next to try to get it working....

Yeah, i think the challenge is, post session profiles workflows are not
explained in detail. So we are not sure what we can and cannot do with post
session profiles. All the role mapping and other stuff can be done
primarily for the time of login, but if i want to monitor the state of
authenticated user (802.1x and not guest) there doesnt seem to be any
guidelines given.

I can see that Aruba wireless terminate session is sent if post auth action is set to disconnect (with or without block access). Where do we modify this setting?

That's expected. The client will re-authenticate and Clearpass should see that the MAC is in the blacklist user repository and assign a different role.

 

That's how I would imagine it works if you set up your service as I previously mentioned.

how should i add the user to blacklist repository when he exceeds the quota? in post-auth-check action is only disconnect. I cannot pass on any other profile. 

 

Or am i missing something very basic here?

sorry for multiple posts. When you said "do some role mapping based on a user being blacklisted" this is what i am asking, how to blacklist the user as part of post session policy?

post-auth-check > action > disconnect and block access

Blacklist user repository refers to Static host list? coz i did the same
thing but nothing is added SHL.

Ok i see them under monitoring. Out of curiosity, i have also accessed Clearpass DB with pgadmin, and can see different tables, any idea which one corresponds to Black listed users?

 

So the workflow would be, to use BL as authz source, and when user is matched, either deny or push different role to him right?

In theory yes, that's how I see it working.

Ok let me test this out tomorrow. 

 

Also if you or anyone can advise which table in public database corresponds to Black list users repository. Just asking out of curiosity. 

Dear James, 

 

I added BL as authz source but couldnt use it in rolemapping or enforcement policy. I checked under sources and in my case (snap attached) its fields are empty. 

 

How to use BL user respository in Role mapping or Enforcement profile? its not available.

Got it to work, attaching the snapshots of my BL authentication source and changes done to it, and also my enforcement profile.

 

Thanks James for all the help provided

That's great! Glad you got it working. :)