Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
10
Helpful
3
Replies

Limiting 1 device per user name on WLC 3500 Series using Radius

Go to solution
GiovanniN1991
Level 1
Level 1

‎11-10-2020 02:25 AM - edited ‎07-05-2021 12:46 PM

Good morning,

I have a 3500 series WLC with 8.5.131.0 version software connected to a FreeRadius server (with Daloradius GUI).

I would like to know if is it possible to manage the number of devices connected on a specific SSID, limiting each username to one only device.

I'm not capable of handling simultaneous logins number via radius server, so, since I can see the username used to connect in the Clients tab of WLC, I was wondering if I have the chance to use this information to limit logins to 1 device only per user name.

Thank you in advance.


G

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎11-10-2020 02:37 AM

  1. Security > AAA > Disabled Clients > User Login Policies.  
  2. Change the "0" (default) to "1".

View solution in original post

Go to solution
GiovanniN1991
Level 1
Level 1
In response to Leo Laohoo

‎11-10-2020 10:35 AM

For those that end up with this same issue:

Set User Login Policies to 1 as @Leo Laohoo  said, then go to Security>Advanced EAP to disable max-login-ignore-identity-response.

 

Devices that were logged in BEFORE the policy was enforced will not be kicked out and are not counted toward reaching the max-1-login-per-user limit, so you still have one empty slot to log another device.

Be sure to test these settings using at least 2 different devices to be sure that everything is working as expected.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎11-10-2020 02:37 AM

  1. Security > AAA > Disabled Clients > User Login Policies.  
  2. Change the "0" (default) to "1".

Go to solution
GiovanniN1991
Level 1
Level 1
In response to Leo Laohoo

‎11-10-2020 02:44 AM

Hi Leo, 

thank you for answering. I've already found this tip in the forum, but it didn't work. I must also say that the user we used for test purpose had already 2 devices logged in (which didn't get disconnected), and was also able to add a third one.

The culprit may be related to this: "1. When using 802.1X security make sure max-login-ignore-identity-response is disabled"

I can't find this setting in the GUI.

Can you help me with that?

Do I have to do something in paritcular after limiting Login to 1 to test it out?

0 Helpful

Go to solution
GiovanniN1991
Level 1
Level 1
In response to Leo Laohoo

‎11-10-2020 10:35 AM

For those that end up with this same issue:

Set User Login Policies to 1 as @Leo Laohoo  said, then go to Security>Advanced EAP to disable max-login-ignore-identity-response.

 

Devices that were logged in BEFORE the policy was enforced will not be kicked out and are not counted toward reaching the max-1-login-per-user limit, so you still have one empty slot to log another device.

Be sure to test these settings using at least 2 different devices to be sure that everything is working as expected.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card