Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

[Quota Based Access]

This thread has been viewed 1 times

  • 1.  [Quota Based Access]

    Posted Nov 22, 2012 03:17 AM

     

    Hi Guys,

     

    Anyone has any ideas on how to restrict users based on Quota? Meaning the users will only be assigned to a certain download limit for example 10MB. Once the user downloaded 10MB, his access is denied.

     

    Can be this done with just the controller or i suppose we need systems like Clearpass to complement?

     

    Thank you!



  • 2.  RE: [Quota Based Access]

    EMPLOYEE
    Posted Nov 22, 2012 05:47 AM

    We would need ClearPass Policy Manager to do that.  The controller would send radius accounting packets to CPPM and CPPM would have a rule to disconnect the user when that threshold is reached.

     



  • 3.  RE: [Quota Based Access]

    Posted Nov 22, 2012 10:07 AM

    Hi Joseph,

     

    Thanks for the quick response again appreciate it =)

     

     

    Have found some information that the Controller might not be able to do it as there is no attributes to specify the usage?

     

     Form 6.1UG
     The following is the list of attributes that the controller can send to a RADIUS accounting server:
      Acct-Status-Type
      User-Name
      Acct-Session-Id
      Acct-Authentic:
      Acct-Session-Time
     
      Acct-Terminate-Cause: Indicates how the session was terminated and is sent in Accounting-Request
    records where the Acct-Status-Type is Stop. Possible values are:
    1: User logged off
    4: Idle Timeout
    5: Session Timeout. Maximum session length timer expired.
    7: Admin Reboot: Administrator is ending service, for example prior to rebooting the controller.
     
      NAS-Identifier
      NAS-IP-Address
      NAS-Port
     
      NAS-Port-Type: Type of port used in the connection. This is set to one of the following:
      5: admin login
      15: wired user type
      19: wireless user
     
      Framed-IP-Address
      Calling-Station-ID
      Called-station-ID

     

     

    Thanks!



  • 4.  RE: [Quota Based Access]
    Best Answer

    EMPLOYEE
    Posted Nov 22, 2012 10:34 AM

    Do you have the a Radius Accounting Server Group defined in the AAA profile on the Controller of that WLAN that is pointing to CPPM?  If you do, you will then get a new Accounting TAB in access tracker.  In addition, make sure you enable "Interim Accounting" on the AAA profile so that you get periodic data accounting (ArubaOS 6.1 and above).

     

    accountin.png

    account2.png



  • 5.  RE: [Quota Based Access]

    Posted Nov 22, 2012 12:26 PM

    I love you bro! you are the man!

     

    I suppose I only can acheive that with CPPM?

     

    Thank you!

     

     



  • 6.  RE: [Quota Based Access]

    EMPLOYEE
    Posted Nov 22, 2012 12:28 PM

    Yes, because only CPPM has policy elements to evaluate and take action on that attribute.

     



  • 7.  RE: [Quota Based Access]

    Posted Nov 23, 2012 02:23 AM

    Hi Bro,

     

    Just to be sure. So we can kick out users based on a predefined max bytes downloaded?

     

    Thanks.



  • 8.  RE: [Quota Based Access]

    EMPLOYEE
    Posted Nov 23, 2012 06:16 AM

    Let's get specific:

     

    Do you have Amigopod (now ClearPass Guest) or ClearPass Policy Manager.  Do you want to set limitations on guest users who come onto your network?