Security

I built a guest login with 1 hour expartion time. and i limited it to 1 session per guest - 1 device

everything works.

 

BUT when the guest ending his 1 hour,and he would like to reconnect with other device (with the same e-mail)

the clearpass giving me reject.

 

i dont want that the clearpass will limit e-mail/user to use just 1 device - i just want to limit the usage of 1 session(1 device) per e-mail while the account enabled - after the time is over - i would like to give the ability for the user/e-mail to create new user with the same e-mail and another device...

 

Please advise.

 

 

anyone?

If you only want to limit the user to one session, then you could try to enable this on the account itself.

 

1. For all guest creations:   CPG --> Configuration --> Guest Manager --> Active Sessions
   
   
2. For your specific guest form to set this value when the accout is created:  CPG --> Configuration --> Guest Self-Registration --> Your Page --> Click Form in the Register Page section --> Insert a new field (anywhere) --> Choose simultaneous_use --> Change User Interface to Hidden --> Change Initial Value to 1  --> Save Changes

clembo...but then the user can use 2 devices.....he just re self register the new device....it's not enough...

(SO I LIMIT THE ABILITY TO CREATE same user by using: auto_update_accounthidden

 

BUT WHEN THE 1 HOUR IS OVER - and the user want to use the same e-mail...he getting reject because his first device still being in the endpoint DB.....

 

PLEASE READ AGIAN my need.

BTW:

this configuration already configured in the guest cppm....

 

 

 

 

Your initial post had the following, that you didn't want to limit the user to 1 device, but rather the usage of 1 session; so I interpreted it as you stating you wanted to limit it 1 session during the life of the account:

"i dont want that the clearpass will limit e-mail/user to use just 1 device - i just want to limit the usage of 1 session(1 device) per e-mail"

 

Can you share the error on the Alerts tab of Access Tracker?

Why don't you check what Enforcement profile is being applied to the service and the user.   It likely has a condition that limits the unique device count to greater than 1.   You can change/remove this as you need for your scenario.  

 

 

Hi Clembo

 

i'm limiting for 1 session per guest (in the guest manager) and also guest = 1 device (now i raised it to 2 devices)  Authorization:[Endpoints Repository]:Unique-Device-Count = 2

 

Please try to figure out what i'am trying to acomplish:

 

 

im trying to limit guest to use each register time only in 1 device... but when the 1 hour is over and he get logged out and deleted i want that he will be able to re self register his 2nd device

 

But i keep getting this REJECT issue even due the guest is expired....his endpoint record his still there... :( please advise

 

Thanks,

 

Me

This is my enformect policy after i raised it to two devices:

 

before i raised it , it was 1:

Authorization:[Endpoints Repository]:Unique-Device-Count  GREATER_THAN 1

 

but still what happend if the same guest is coming after a week with a 3rd device and using the same e-mail address? he still getting reject - because the endpoint recorded are kept...

 

please advise.

 

 

You can remove that condition from the enforcement profile altogether if you want (if you already have the 1 session at a time setup and working the way you want).   Or create a new Enforcement Profile altogether that doesn't even look at the unique device count.

 

 

Ok.. Understood. But then even before the first session is over the user can sel reg is 2nd device.. Or the auto update account in the form should solve it? Or than even after 1 hour he will not be able to self reg with the same mail?

??

I apologize if my replies are not timely as I am engaged with customers throughout the day; if you need more immediate response, I suggest you call TAC for dedicated support on your issue.

 

To answer your question, sure the user may be able to self-register another device, I don't know if the auto_update_account field would do anything or not.....but if ClearPass is only allowing one logon session per user (email) then does it matter how many devices they try to get on with?   If the user decides to register from 3 systems, they should still only be able to logon on one device based upon the session limit.

 

If I am still misunderstanding the scenario, I apolgoize.

Apologies for bumping old post.

 

Did you ever get this issue resolved? i am having the same issue, that i have a limit of 2 devices, per user,  but these devices are never forgotten, and as a result 3 weeks later a user returns with a 3rd device and is denied access.

 

My accounts expire after one day rather than your 1 hour, but other than that the issues are the same..

 

I was following the post and amending my session limits, but i am stuck on the instructions posted by "clembo"

 

"For your specific guest form to set this value when the accout is created:  CPG --> Configuration --> Guest Self-Registration --> Your Page --> Click Form in the Register Page section --> Insert a new field (anywhere) --> Choose simultaneous_use --> Change User Interface to Hidden --> Change Initial Value to 1  --> Save Changes"

 

I cant see an option to "insert a new field" that gives me the option to choose "simultaneous_use"

 

Did you follow these instructions and remove the "Unique-Device-Count" limit?

 

I have achieved this by adding an additional Insight Repository attribute which checks for active sessions against a particular username. Add the attribute with the following settings:

 

select CASE WHEN count(distinct calling_station_id) >= '%{GuestUser:simultaneous_use}' THEN 'True' ELSE 'False' END from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') and now());

 

CASE     above_allowed_sessions     type=String

 

This checks for active sessions for the username and if it is greater than or equal to the GuestUser:simultaneous_use field is returns TRUE otherwise it returns FALSE. 

You could modify this to have a fixed value of 1 instead of GuestUser:simultaneous_use if you required.

 

Your enforcement profile then just has a rule that says if above_allowed_sessions = TRUE apply the Deny Access Profile.

 

Oh and don't forget to remove the other check for active sessions from the enforcement profile which is blocking the 2nd device attaching.

Hello, I am trying to achieve the same. My issue is i see this error in my access tracker.

 

I am using the same query as you with the 1 instead of GuestUser:simultaneous_use

Policy server

Failed to get value for attributes=[above_allowed_sessions]

 

Any ideas?

Have you got the Insight Repository defined as an authorisation source?

This is required.

If so, can you post your syntax.

Yes the insight repository with this attribute allocated is an authorization source 

 

select CASE WHEN count(distinct calling_station_id) >= '1' THEN 'True' ELSE 'False' END from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') and now());

 

 

Have you tried the statement with the 1 not inside quotes as below:

 

select CASE WHEN count(distinct calling_station_id) >= 1 THEN 'True' ELSE 'False' END from radius_acct where (username = '%{Authentication:Username}') AND end_time is null AND termination_cause is null AND (updated_at BETWEEN (now() - interval '1 hour') and now());

 

otherwise I cannot see an issue with the statement.