We might have a requirement where we want to display the terms page for users who are authenticating across ClearPass performing 802.1x authentication once in a day. So if a user comes in today and authenticates to the 802.1x network he should see the terms page for the first time today and not see it any more for the same day. When the same user comes back tomorrow or any time later should he see the terms page.
This can be achieved by using a server initiated login on ClearPass where the user can be put in a captive portal role on the Aruba Controller after authentication on the 802.1x network. The captive portal page needs to be mapped as the webpage we create on ClearPass with the accept terms page which in its configuration has a server initiated login.
We need to create a new web login page and check this box to display the terms and conditions
The vendor settings need to be chosen as Aruba Networks with the login-method as Server Initiated
As the user already enters their username and password we should not ask the user for the username and password again but just make them accept the terms. For doing that we have an option under Login Form called "Authentication" which needs to configured to "Anonymous". When the authentication is set to Anonymous, even though the user does not enter a username and password we still need to have a username and password to complete authentication, hence we can also check the box "Auto-Generate" so that ClearPass can generate that username password automatically.
The Pre-Auth Check needs to be set to Local
Once this is done we have the webpage ready to display the terms. The controller configuration for the user-role that brings the user to this captive portal page is similar to a typical captive portal configuration and that configuration is beyond the scope of this article.
Once the user accepts the terms page and attempts the login, ClearPass gets a WebAuth request, and we need to create a service on ClearPass of type Web-based Authentication to handle that.
The Web Auth service we are going to create is going to do 2 things for us
- Set an attribute on the Endpoint that marks the Terms-Accept Expiry Time which is used to take the user back to terms after a day
- Change the user-role on the controller to a full access role so that he can go out of the terms page
We need to create an attribute of type Endpoint Under Administration>>Dictionaries>>Attributes and click on Add
The Data Type needs to be Date-Time and Is Mandatory 'No' and Allow Multiple 'No'. The Name can be anything in this example it is Terms-Accept-Expiry
We need to update this attribute with the value of Date-Time when the Accept Terms will expire so if a user authenticates today then we need to update it with a Date-Time value of 'today 23:59'.
We need to add a new filter for computing that value which can be done on the [Time Source] authentication source
select date_trunc('day' , localtimestamp(0) + interval '1 day') - interval '1 second' as terms_accept_expiry
After clicking on Add Filter on the [Time Source] authentication source we need to configure the filter as below
After doing this we now have a value called "Terms Accept Expiry DT" that can be updated to the endpoint attribute we created called Terms-Accept-Expiry, for doing which we need to create an enforcement profile of type "ClearPass Entity Update Enforcement" like shown below
After creating the above enforcement profile we also need to create an enforcement profile of type "Radius COA" to change the user-role of the user to the role that takes the user to the captive portal page.
We also need to add [Time Source] as an authorization source in the service configuration
The rules in the enforcement policy can be as shown below
We also need to make sure that our 802.1x service references the Terms-Accept-Expiry so that only users who are coming back the next day or later go to the terms page and the same user who comes back the same day goes directly to the post-authentication role.
For that we need to add [Time Source] as an authorization source in the 802.1x service also
The enforcement policy should look like below
where Full Access Role and Redirect to Terms page are enforcement profiles that return the respective Aruba User-Role.
Please note that the ClearPass needs to mapped as an RFC-3576 Server in the AAA profile for this configuration to work
Connect a new device to the network and you would see the terms page
Once you click Accept you should see a WebAuth request in ClearPass for which the Output should be like shown below
The COA is triggered based on the NAS-IP Address from the previous authentication request with the same MAC address. We should be able to see the COA tab in the Access tracker for the previous authentication request to the WebAuth.
The Status Message in the COA tab would give us a clear indication about how the COA went through. If the COA is successful that means that the user will be put in the post-auth role.
For verifying that the user is not going back to the terms page when they connect again the same day, we can connect the same device again and we should be able to see that the Endpoint has the
Terms-Accept-Expiry tagged to it
Hence the device would fall in the post authentication role.