This article explains the steps to add an attribute to an Endpoint/MAC-address during the client authentication.
Examples :
1. Updating Endpoints as "Domain Machine" followed by successful Machine authentication. This will help us to identify the device as Domain Machine during the user authentication to assign proper access policies.
2. Adding the current date and time to an endpoint with an attribute called "Last Auth Time". The updated date/time will be useful to check the Last authentication time and to cache authentication session.
Environment : ClearPass 6.0.x and above
Step 1: Creating the required endpoint attributes.
Navigate to Administration >> Dictionaries >> Attributes >> Add and create the attributes as shown in the below figures.
Note: Attributes entity should be "EndPoint" and Data Type can be selected as per your requirement.
Ex -1
Ex -2
Step 2: Creating Enforcement Profiles that can update the Attributes to Endpoint.
Navigate to Configuration >> Enforcement >> Profiles >> Add >> Set the Template as "ClearPass Entity Update Enforcement" and create the Profiles as shown below.
Ex -1
Here the sample enforcement profiler name is "Mark Domain Machine".
Ex -2
Use the following SQL query to get the current date and time during the client authentication.
SELECT to_timestamp(to_char(now(), 'YYYY-MM-DD HH24:MI:SS'), 'YYYY-MM-DD HH24:MI:SS') AS current_date_time
Running the above in any SQL DB will print the current date and time with the attribute "current_date_time", which can be mapped to the Enforcement profile.
Sample output:
testdb=> SELECT to_timestamp(to_char(now(), 'YYYY-MM-DD HH24:MI:SS'), 'YYYY-MM-DD HH24:MI:SS') AS current_date_time;
current_date_time
------------------------
2014-11-27 16:27:10-08
Add the above query in any one of the Internal authentication sources like [Local User Repository]. Navigate to Configuration >> Authentication >> Sources >> [Local User Repository] >> Attributes >> Add More Filters and add the query as shown below.
Navigate to Configuration >> Enforcement >> Profiles >> Add >> Set the Template as "ClearPass Entity Update Enforcement" and create the Profiles as shown below.
Sample enforcement profile name is "Auth Time Update"
Note: The Value format should be "%{Authorization:[Local User Repository]:current_date_time}, because the [Local User Repository] will be used as authorization source to fetch the current date and time.
Step 3: Mapping the enforcement profiles to the Service.
Map the [Local User Repository] as the authorization source in the service to fetch the date and time.
Assigning the Entity Update Enforcement Profiles under the Enforcement Policy >> Conditions as shown below to update the Endpoint attributes during the client authentication
Mapping the [Local User Repository] with the added SQL query as authorization source will fetch the current date and time during the authentication and the output will be updated as Last Auth Time to the Endpoint.
Sample output from ClearPass access tracker.
Mapping the Entity Update Enforcement Profiles in the Service will update the endpoint with the attributes "Domain Machine" and "Last Auth Time".
Below output from the Access Tracker confirms that the Attributes are update to the Endpoint with respective values.
The updated attributes can be located, when you view the client MAC address under Configuration >> Identity >> Endpoints.
