How to add/update an attribute to an Endpoint

Aruba Employee

This article explains the steps to add an attribute to an Endpoint/MAC-address during the client authentication.

Examples :

1. Updating Endpoints as "Domain Machine" followed by successful Machine authentication. This will help us to identify the device as Domain Machine during the user authentication to assign proper access policies.

2. Adding the current date and time to an endpoint with an attribute called "Last Auth Time". The updated date/time will be useful to check the Last authentication time and  to cache authentication session.

 

Environment : ClearPass 6.0.x and above

 

Step 1: Creating the required endpoint attributes.

Navigate to Administration >> Dictionaries >> Attributes >> Add and create the attributes as shown in the below figures.

Note: Attributes entity should be "EndPoint" and Data Type can be selected as per your requirement.
Ex -1

 

rtaImage.png

 

Ex -2

rtaImage (1).png

Step 2: Creating Enforcement Profiles that can update the Attributes to Endpoint.
Navigate to Configuration >> Enforcement >> Profiles >> Add >> Set the Template as "ClearPass Entity Update Enforcement" and create the Profiles as shown below.

Ex -1
Here the sample enforcement profiler name is "Mark Domain Machine".

rtaImage (3).png

Ex -2
Use the following SQL query to get the current date and time during the client authentication.

SELECT to_timestamp(to_char(now(), 'YYYY-MM-DD HH24:MISmiley FrustratedS'), 'YYYY-MM-DD HH24:MISmiley FrustratedS') AS current_date_time

Running the above in any SQL DB will print the current date and time with the attribute  "current_date_time", which can be mapped to the Enforcement profile.

Sample output:
testdb=> SELECT to_timestamp(to_char(now(), 'YYYY-MM-DD HH24:MISmiley FrustratedS'), 'YYYY-MM-DD HH24:MISmiley FrustratedS') AS current_date_time;
   current_date_time
------------------------
 2014-11-27 16:27:10-08

Add the above query in any one of the Internal authentication sources like [Local User Repository]. Navigate to Configuration >> Authentication >> Sources >> [Local User Repository] >> Attributes >> Add More Filters and add the query as shown below.

rtaImage (4).png

Navigate to Configuration >> Enforcement >> Profiles >> Add >> Set the Template as "ClearPass Entity Update Enforcement" and create the Profiles as shown below.


Sample enforcement profile name is "Auth Time Update"

rtaImage (5).png

Note: The Value format should be "%{Authorization:[Local User Repository]:current_date_time}, because the [Local User Repository] will be used as authorization source to fetch the current date and time.

rtaImage (7).png

Step 3: Mapping the enforcement profiles to the Service.

Map the [Local User Repository] as the authorization source in the service to fetch the date and time.

rtaImage (8).png

Assigning the Entity Update Enforcement Profiles under the Enforcement Policy >> Conditions as shown below to update the Endpoint attributes during the client authentication

rtaImage (9).png

Mapping the [Local User Repository] with the added SQL query as authorization source will fetch the current date and time during the authentication and the output will be updated as Last Auth Time to the Endpoint.

Sample output from ClearPass access tracker.

 

rtaImage (10).png

Mapping the Entity Update Enforcement Profiles in the Service will update the endpoint with the attributes "Domain Machine" and "Last Auth Time".

Below output from the Access Tracker confirms that the Attributes are update to the Endpoint with respective values.

rtaImage (11).png

The updated attributes can be located, when you view the client MAC address under Configuration >> Identity >> Endpoints.

rtaImage (12).png

Version history
Revision #:
1 of 1
Last update:
‎04-08-2015 07:05 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: