I already tried it in 6.10 it seems not working . since 6.10 is out of support we tried to upgrade to 6.11 then 6.12 and applied this query then it able to work based on our preference. anyway, thanks for the confirmation
-------------------------------------------
Original Message:
Sent: Jan 06, 2026 02:30 AM
From: chulcher
Subject: CLEARPASS ACTIVE SESSION LIMIT
I probably created these queries on ClearPass 6.8 and 6.9, but no guarantees that they'd work on older versions as there were some security changes/cleanup done that made many of the custom queries non-functional for a bit.
------------------------------
Carson Hulcher, ACEX#110
------------------------------
Original Message:
Sent: Jan 06, 2026 02:04 AM
From: ajorigenes17
Subject: CLEARPASS ACTIVE SESSION LIMIT
For this to work, you must be running ClearPass version 6.12 or later. ClearPass versions 6.10 and earlier use only the UserDB/TipsDB databases.Starting with ClearPass 6.12, AppExternal is now supported, which allows the use of custom database queries.
Original Message:
Sent: Dec 09, 2024 08:22 AM
From: Alex
Subject: CLEARPASS ACTIVE SESSION LIMIT
Hi do you have a working configuration sample with this?
Original Message:
Sent: Nov 21, 2024 11:45 AM
From: chulcher
Subject: CLEARPASS ACTIVE SESSION LIMIT
Counts all active sessions that show activity within the last two days.
My version of the query looks at the last updated column and counts all sessions that aren't the current.
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-PreAuth-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings for Application/WebAuth where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND LEFT(ssid,LENGTH('%{Application:WebLoginURL:essid}')) = '%{Application:WebLoginURL:essid}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-PreAuth-User, Integer
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-User, Integer
******
[Insight Repository]
+++++++++++++
ARUBA VERSION
New filter "Custom-ConcurrentSessions-Endpoint" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Endpoint:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Endpoint:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-Endpoint, Integer
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 21, 2024 11:17 AM
From: ajorigenes17
Subject: CLEARPASS ACTIVE SESSION LIMIT
And also what is the purpose of this query?
AND start_time >= NOW() - INTERVAL '2 day' AND end_time is NULL;
Original Message:
Sent: Nov 21, 2024 09:50 AM
From: chulcher
Subject: CLEARPASS ACTIVE SESSION LIMIT
You can see this by looking at the query for the filter.
SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >= NOW() - INTERVAL '2 day' AND end_time is NULL;
The query counts all currently active sessions associated with the username or the active MAC address.
To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once. Or you could look at enabling 802.11r to prevent the full reauthentication on roam.
------------------------------
Carson Hulcher, ACEX#110