802.1X Concurrent Connection Limit as a new feature in 6.6.r1 for NPS too?

  • 1
  • Question
  • Updated 1 year ago
New upgrade has just arrived 6.6.r1 with new feature:

802.1X Concurrent Connection LimitAerohive RADIUS servers can limit the number of concurrent sessions that a user can maintain. Although it is
common for users to possess multiple network-enabled devices, it is sometimes necessary to discourage their
concurrent use for security reasons. When you are logged in as a superuser, you can limit a user to a specific
number of devices that can connect to the network simultaneously

Can this be used somehow with NPS radius or this is strictly for Aerohive Radius AP as a server?
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi MST,

The new feature is strictly for Aerohive's own RADIUS implementation.

But... A lot of work has gone in to HiveOS 6.6r1 to facilitate session tracking elsewhere in code that handles/tracks RADIUS accounting information in a state machine. (Such as an extension to a RADIUS server that implements this.)

Such extensions can then limit concurrent sessions based on the information that is held there.

The enhancements in this area are documented in the release notes.

I hope that Joe Zhao and Mike Kouri don't hate me too much for my incessant badgering over all this for so long actually! :)

There is one defect in particular that made it through to release in HiveOS 6.6r1 that definitely stops session tracking from being able to take place reliably. (This occurred primarily due to me finding it too late in the release cycle when beta testing, so it is nobody else's fault but mine really...)

The particular issue is...

Acct-Multi-Session-Id is occasionally missing
HOS-2767

(The Acct-Multi-Session-Id is needed for tracking a client's connection over roams, which result in multiple RADIUS sessions being accounted for behind the scenes.)

I am trying via a VAR at the moment to get this issue raised to a CFD (Customer Found Defect) to try and get the most expedited resolution reasonably possible. Hopefully without treading on too many toes! :)

There are other open issues that can affect state machine correctness for session tracking, the most important of which is:

Acct-Session-Ids are not constructed to be unique
HOS-2772

I am hoping that the subsequent release to HiveOS 6.6r1 can include corrections for these, and a few other more minor issues raised.

We are close, but not quite there yet.

Kind regards,

Nick
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
We don't hate you. Personally I appreciate the occasional reminders because I know I am easily distracted and forget to
Photo of MST

MST

  • 152 Posts
  • 3 Reply Likes
Thank You Nick. 
Photo of Kevin Whelan

Kevin Whelan

  • 53 Posts
  • 2 Reply Likes
Is there any progress on this feature? really wanting to ditch PPSK but need this feature