Security

It is possible to lock the self register access for eachdevjce juat to authenticate 3 times a day?

for exmaple a user juat can self register to the wifi 3 timea... If he try another one then it wont let him

cheers
Carlos

If I understand this correctly, you want a guest to only be allowed to register 3 devices on the guest wireless correct?  Yes - this is possible  It is a setting in the Service template you create on the guest authentication in CPPM

No

i want htat one device be able to selft register 3 times a day only.

 

For example

If i come with my ipad and i selft register i get access to the internet

If i come again and selft register for another time i get access for another hour

If i come to selft register again  i get one more hour

If i come a 4th time to selft register... it wont let me.   But just for the day...  what i mean that tomorrow the client is able selft register agian 3 more times.

 

 

Cheers

Carlos

OK...well you can add the Insight DB as an authorization source and then limit the amount of logins per day.  I am not sure (haven't tested) if you can limit the amount of registrations but we can limit how many times someone can login to the network.  

 

Where you can specify its per day in there???

Cheers

Carlos

That count that you see from the screenshot is the amount of times since midnight

By default its like that ¿? its something you cannot change?(this question is just curiosity) i dont need this

No - you cannot change that...there are other variables that may make sense in conjunction with that counter though like:

 

Insight:Time-Since-Last-Auth is less than 24 hours (example) ==  allow network access

Insight:Time-Since-Last-Auth is greater than 24 hours (example) ==  Redirect to page

So i should build another enforment rule which state that if the succesful logins is 3  it should give  deny access?

 

For example i got this

 

So i should add the insigh repository here

 

 

Then i should make a role here which state that if the login atthemp is less than 3 then put him the role of login attemps like this

Then on the enforment it should state that if he get that role to give him a denny access policy like this

 

Is the configuration correct or its wrong??

 

Cheers

Carlos

It looks ok...but I think the operand should be greater than 3 and not less than 3.  Configured as you have it, no one will ever get access!

 

Your other option is to provide another role back (not just deny access) with a web page redirect saying that they got there because of the excessive logins per day...just a thought.

hahah you are right my bad...

Ill try login 3 times with the same user to see what happens :)

If you are good with SQL, you can add more filters for the Insight DB.  For example, you can see the query for the login attempts since midnight by going to Authentication --> Sources --> Insight.  Once you know the logic, you can create custom filters to suit your needs.

 

Here is what we are doing to get that integer...

 

SELECT COUNT(*) AS login_count FROM auth WHERE error_code = 0 AND username = '%{Authentication:Username}' AND timestamp BETWEEN date_trunc('day', NOW()) AND date_trunc('day', NOW() + INTERVAL '1 day');

sadly i don tknow anything about sql... guess thats why i find this a bit hard...

 

I tested this, it seems to work if i try with thes same user... after trying 3 times with the same user. it wont let me log on...

But if i selft register again with another email for example.   I get access :(

Is there a way to make it but not per account... more per device?

Well...you can limit the amount of devices using this in the enforcement policy: (just line 1)

 

I mean with the same device

I got a windows phone in which im testing

 

I tried 3 times login with the same account, and yes i can no longer get in with that account

 

But with the same windows phone i tried selft registering(which mean another account differnet from the one i was using) and im able to log in

 

I bealive you mean that if i was using differnt devices... for example a ipad and then and iphone, but this is not the case in this scanerio.. im just using one device.

 

Cheers

Carlos

Well...another workflow might be...checking to see if the Endpoint DB has an attribute (you can add a custom one post auth) or an entry is KNOWN in the endpoint DB.  This would be tied to the guest registration perhaps...or on the auth request.

 

Not sure fully how that workflow would work out.

It is possible to make that the selft registration for one device is possible just once per day?

 

i mean my windows phone just can selft register once per day, if i tried to selft register a second time it should not let me

 

If its possible that would fix it in conjuntion with the successful login rule.

 

Cheers

Carlos