Security

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

And also what is the purpose of this query?

 AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

Counts all active sessions that show activity within the last two days.

My version of the query looks at the last updated column and counts all sessions that aren't the current.

And also what is the purpose of this query?

 AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

Thank you for this, after we apply the configuration, it works fine based on our preference. what does this mean in query ? AND updated_at > now() - interval '12 minutes' 

Counts all active sessions that show activity within the last two days.

My version of the query looks at the last updated column and counts all sessions that aren't the current.

And also what is the purpose of this query?

 AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

Counts all active sessions that show activity within the last two days.

My version of the query looks at the last updated column and counts all sessions that aren't the current.

And also what is the purpose of this query?

 AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

Hi do you have a working configuration sample with this? 

Counts all active sessions that show activity within the last two days.

My version of the query looks at the last updated column and counts all sessions that aren't the current.

And also what is the purpose of this query?

 AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

For this to work, you must be running ClearPass version 6.12 or later. ClearPass versions 6.10 and earlier use only the UserDB/TipsDB databases.Starting with ClearPass 6.12, AppExternal is now supported, which allows the use of custom database queries.

Original Message:
Sent: Dec 09, 2024 08:22 AM
From: Alex
Subject: CLEARPASS ACTIVE SESSION LIMIT

Hi do you have a working configuration sample with this? 

Original Message:
Sent: Nov 21, 2024 11:45 AM
From: chulcher
Subject: CLEARPASS ACTIVE SESSION LIMIT

Counts all active sessions that show activity within the last two days.

My version of the query looks at the last updated column and counts all sessions that aren't the current.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 21, 2024 11:17 AM
From: ajorigenes17
Subject: CLEARPASS ACTIVE SESSION LIMIT

And also what is the purpose of this query?

 AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

Original Message:
Sent: Nov 21, 2024 09:50 AM
From: chulcher
Subject: CLEARPASS ACTIVE SESSION LIMIT

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 21, 2024 07:23 AM
From: ajorigenes17
Subject: CLEARPASS ACTIVE SESSION LIMIT

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?

I probably created these queries on ClearPass 6.8 and 6.9, but no guarantees that they'd work on older versions as there were some security changes/cleanup done that made many of the custom queries non-functional for a bit.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Jan 06, 2026 02:04 AM
From: ajorigenes17
Subject: CLEARPASS ACTIVE SESSION LIMIT

For this to work, you must be running ClearPass version 6.12 or later. ClearPass versions 6.10 and earlier use only the UserDB/TipsDB databases.Starting with ClearPass 6.12, AppExternal is now supported, which allows the use of custom database queries.

Original Message:
Sent: Dec 09, 2024 08:22 AM
From: Alex
Subject: CLEARPASS ACTIVE SESSION LIMIT

Hi do you have a working configuration sample with this? 

Original Message:
Sent: Nov 21, 2024 11:45 AM
From: chulcher
Subject: CLEARPASS ACTIVE SESSION LIMIT

Counts all active sessions that show activity within the last two days.

My version of the query looks at the last updated column and counts all sessions that aren't the current.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 21, 2024 11:17 AM
From: ajorigenes17
Subject: CLEARPASS ACTIVE SESSION LIMIT

And also what is the purpose of this query?

 AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

Original Message:
Sent: Nov 21, 2024 09:50 AM
From: chulcher
Subject: CLEARPASS ACTIVE SESSION LIMIT

You can see this by looking at the query for the filter.

SELECT COUNT(*) AS active_count FROM radius_acct WHERE (username = '%{Authentication:Username}' OR calling_station_id = '%{Connection:Client-Mac-Address-NoDelim}') AND start_time >=  NOW() - INTERVAL '2 day' AND  end_time is NULL;

The query counts all currently active sessions associated with the username or the active MAC address.

To prevent what you are seeing you would want to create a new filter with a query that only counts the current username + MAC address combination once.  Or you could look at enabling 802.11r to prevent the full reauthentication on roam.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Nov 21, 2024 07:23 AM
From: ajorigenes17
Subject: CLEARPASS ACTIVE SESSION LIMIT

Good Day,

We have implemented 802.1X authentication at our university to manage network access for over 1,200 users daily. Recently, the client requested limiting active user sessions to a maximum of three devices per user.

Initially, we configured the enforcement policy using unique device counts, which worked as expected. However, we encountered an issue: if a user's device employs randomized MAC addresses, we must either remove these entries from the endpoint repository or manually use the actual MAC address of the device. This process occurs frequently and has become a challenge.

To address this, we shifted to using an active session count approach, which limits users to three active sessions. While this works as intended-rejecting new sessions if a user already has three active sessions-we have observed a recurring issue. Some users are being rejected by the network due to the active session limit, even when they are only using a single device or have just one active session recorded in the controller.

After extensive testing and analysis, we discovered that this issue occurs when a user roams between access points (APs), such as moving to a different room. The device re-authenticates with ClearPass, and this is counted as a new session, even though it's the same device with the same MAC address.

My questions are:

1. How can we prevent this issue from occurring?
2. How does the active session count feature actually work?