Wireless Access

Introduction

Limiting bandwitdh of wireless users on controllers in master-local topology with only using scripting language is so easy and crusial in a big campus networking. We have limiting many users by the following method to save bandwitdh.

Steps

1- Create a role on aruba for limited users. In my case, It is named "role-1mbps"
2- Radius accounting information is logged to mysql with freeradius-mysql
3- Calculate your download/upload threshold value of users in period.
4- We will have another script which will trigger the following expect script. The script will make schanges on both controller and user's session won't completely removed.

Expect script:
#!/usr/bin/expect
set password 123123

set hosts "aruba-master"
spawn ssh -o StrictHostKeyChecking=no admin@$hosts
expect "admin@$hosts's password:"
send -- "$password
"
expect "#"

send -- "config t
"
expect "#"
send -- "aaa server-group SSID-wpa2
"
expect "#"
send -- "set role condition User-Name equals $username set-value role-1mbps position 1
"
expect "#"
send -- "write mem
"
expect "#"
send -- "exit
"
set hosts "aruba-local"
spawn ssh -o StrictHostKeyChecking=no admin@$hosts
expect "admin@$hosts's password:"
send -- "$password
"
expect ">"
send -- "ena
"
expect "Password:"
send -- "$password
"
expect "#"
send -- "aaa user delete name $username
"
expect "#"
send -- "exit
"

5- To remove limited-role send only the "no" row.
send -- "no set role condition User-Name equals $username set-value role-1mbps
"

Good writeup.  I have not tested this.

- Does the WLC need to have interim accounting configured for this to work?

- What module needs to be run to collect the interim accounting information and does the controller need to point to that module as a radius accounting server?

- The CLI on the controller is single-threaded.  Since you could be dealing with quite a few users, is there something to rate-limit logging into the CLI, yet still allow for timely disconnects?    It might be better to use the XML-API of the controller to change a user role or to disconnect a user, since it is not bound by the CLI:  http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/XML_API/Using_the_XML_API_Server.htm

...just a few questions...

Hi Colin,

- Yes, you are supposed to enable Interim Accounting for not waiting for "Stop" packet of radius.

- Freeradius-mysql module collects the traffic information in database.

- It might be a better option that you have suggested. I didn't use XML API. I had another two options to changing role. When I use "aaa user delete name" command, it never disconnect user. It refreshes user's profile/role table.

thanks,

umutarus,

Got it.

If you want to really disconnect the user, you can blacklist the user with the "stm add-blacklist-client <client mac>" command:  https://arubanetworkskb.secure.force.com/pkb/articles/Troubleshooting/How-to-blacklist-a-client-in-a-centralized-way

If you wanted to change the user's role so that they also get a message, you could do that as well...