Security

Hey Airheads,

I'm trying to build up a PoC whic requires  Guest + MAC auth but with a limitation on concurrent sessions. 

Understanding you can perform unique device checks during the registration / MAC caching process to prevent the devices from being enrolled, i have a scenario where i'm using Azure AD logins for a BYOD workflow. This means we can't do the usual pre-auth application enforcement in ClearPass to check the unique device count in the endpoint repo. 

So what i'm trying to do is deliver a solution where users can auth as many devices  though Azure but they can only have 2-3 connected concurrently. 

My idea was to use the post authentication session-check enforcement to identify excess concurrent sessions and disconnect those in excess of the limit. 

Despite my best efforts i can't seem to get CPPPM to take any action when too many devices are connected under one account. 

Has anybody got this working? I'm playing in 6.10.5 version. 

Radius accounting is enabled and can see the device records

Do you have radius interim accounting also enabled on the NAS?

EDIT:  Do you also have COA configured?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Aug 04, 2022 06:51 PM
From: Scott Doorey
Subject: Post-Authentication Session-Check in MAC auth workflow

Hey Airheads,

I'm trying to build up a PoC whic requires  Guest + MAC auth but with a limitation on concurrent sessions. 

Understanding you can perform unique device checks during the registration / MAC caching process to prevent the devices from being enrolled, i have a scenario where i'm using Azure AD logins for a BYOD workflow. This means we can't do the usual pre-auth application enforcement in ClearPass to check the unique device count in the endpoint repo. 

So what i'm trying to do is deliver a solution where users can auth as many devices  though Azure but they can only have 2-3 connected concurrently. 

My idea was to use the post authentication session-check enforcement to identify excess concurrent sessions and disconnect those in excess of the limit. 

Despite my best efforts i can't seem to get CPPPM to take any action when too many devices are connected under one account. 

Has anybody got this working? I'm playing in 6.10.5 version. 

Radius accounting is enabled and can see the device records

interim accounting is enabled on NAS (AP-503H in Central with AOS 10)



i've even gone so far as to run the Active-Sessions query directly against insight using PGadmin and its correctly returning the active-session count






Original Message:
Sent: Aug 04, 2022 07:25 PM
From: Colin Joseph
Subject: Post-Authentication Session-Check in MAC auth workflow

Do you have radius interim accounting also enabled on the NAS?

EDIT:  Do you also have COA configured?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Aug 04, 2022 06:51 PM
From: Scott Doorey
Subject: Post-Authentication Session-Check in MAC auth workflow

Hey Airheads,

I'm trying to build up a PoC whic requires  Guest + MAC auth but with a limitation on concurrent sessions. 

Understanding you can perform unique device checks during the registration / MAC caching process to prevent the devices from being enrolled, i have a scenario where i'm using Azure AD logins for a BYOD workflow. This means we can't do the usual pre-auth application enforcement in ClearPass to check the unique device count in the endpoint repo. 

So what i'm trying to do is deliver a solution where users can auth as many devices  though Azure but they can only have 2-3 connected concurrently. 

My idea was to use the post authentication session-check enforcement to identify excess concurrent sessions and disconnect those in excess of the limit. 

Despite my best efforts i can't seem to get CPPPM to take any action when too many devices are connected under one account. 

Has anybody got this working? I'm playing in 6.10.5 version. 

Radius accounting is enabled and can see the device records

Original Message:
Sent: 8/4/2022 7:25:00 PM
From: cjoseph
Subject: RE: Post-Authentication Session-Check in MAC auth workflow

Do you have radius interim accounting also enabled on the NAS?

EDIT:  Do you also have COA configured?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Aug 04, 2022 06:51 PM
From: Scott Doorey
Subject: Post-Authentication Session-Check in MAC auth workflow

Hey Airheads,

I'm trying to build up a PoC whic requires  Guest + MAC auth but with a limitation on concurrent sessions. 

Understanding you can perform unique device checks during the registration / MAC caching process to prevent the devices from being enrolled, i have a scenario where i'm using Azure AD logins for a BYOD workflow. This means we can't do the usual pre-auth application enforcement in ClearPass to check the unique device count in the endpoint repo. 

So what i'm trying to do is deliver a solution where users can auth as many devices  though Azure but they can only have 2-3 connected concurrently. 

My idea was to use the post authentication session-check enforcement to identify excess concurrent sessions and disconnect those in excess of the limit. 

Despite my best efforts i can't seem to get CPPPM to take any action when too many devices are connected under one account. 

Has anybody got this working? I'm playing in 6.10.5 version. 

Radius accounting is enabled and can see the device records

Do you see the 'RADIUS Dynamic Authorization' tab showing up in Access Tracker for clients that you expect to be CoA-ed?

It's important to understand if the CoA does not trigger, or if it doesn't work. If manual works, the chances are better that the CoA does not even trigger, in which case going through the logs (Collect Logs) then the events you are looking for are (probably, couldn't check) in the logfile postauthctrl.log. Aruba Support can assist in this as well as reading these logfiles are not something most customers/parters are used to.
'

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 04, 2022 07:29 PM
From: Scott Doorey
Subject: Post-Authentication Session-Check in MAC auth workflow

Hi Colin,

 

Yes COA is enabled and working manually from access tracker.

 

Scott

 

Original Message:
Sent: 8/4/2022 7:25:00 PM
From: cjoseph
Subject: RE: Post-Authentication Session-Check in MAC auth workflow

Do you have radius interim accounting also enabled on the NAS?

EDIT:  Do you also have COA configured?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Aug 04, 2022 06:51 PM
From: Scott Doorey
Subject: Post-Authentication Session-Check in MAC auth workflow

Hey Airheads,

I'm trying to build up a PoC whic requires  Guest + MAC auth but with a limitation on concurrent sessions. 

Understanding you can perform unique device checks during the registration / MAC caching process to prevent the devices from being enrolled, i have a scenario where i'm using Azure AD logins for a BYOD workflow. This means we can't do the usual pre-auth application enforcement in ClearPass to check the unique device count in the endpoint repo. 

So what i'm trying to do is deliver a solution where users can auth as many devices  though Azure but they can only have 2-3 connected concurrently. 

My idea was to use the post authentication session-check enforcement to identify excess concurrent sessions and disconnect those in excess of the limit. 

Despite my best efforts i can't seem to get CPPPM to take any action when too many devices are connected under one account. 

Has anybody got this working? I'm playing in 6.10.5 version. 

Radius accounting is enabled and can see the device records