AAA, NAC, Guest Access & BYOD

How to enforce Onboarding client certificate validity based on guest user’s expiration time

Aruba Employee

When we allow guest users to Onboard devices, the client certificate will be valid for the duration based on the fixed value defined in CA ->Certificate issuing-> Validity period. Due to which user can authenticate successfully even though the guest account used to Onboard the device expired. 

 

Environment : Clearpass configured for device Onboarding using guest acounts to perform TLS authentication.

 

Create an application based enforcement profile with attribute ClearPassSmiley Frustratedession-Timeout => %{Authorization:[Guest User Repository]:RemainingExpiration}.

 

rtaImage.jpg

 

Enable Authorization in Onboarding authorization service and select guest user repository as authorization source.

 

rtaImage (1).jpg

 

Update the Onboarding authorization service -> Enforcement policy to apply if Authorization source equals Guest user repository assign the enforcement profile created above.

 

rtaImage (2).jpg

 

To dynamically set certificate validity period based on Guest user’s remaining expiration, we can update the Onboarding authorization service ->enforcement policy to apply an application based enforcement profile with ClearpassSmiley Frustratedession-Timeout set based on guest user’s remaining expiration time.

 

After making the configuration changes as stated above, try Onboarding a device using an account from guest user repository. 

From Access tracker -> Onboarding authorization request, we can check the remaining expiration time calculated for the guest user and enforcement profile applied.

 

rtaImage (3).jpg

 

From Access tracker -> Onboarding authorization request, we can check the session timeout value applied for the authorization request.

 

rtaImage (4).jpg

 

From Onboard->Management and Control->View by Certificate, then filter for the new client certificate created to view the validity period.

 

rtaImage (5).jpg

Version history
Revision #:
1 of 1
Last update:
‎04-08-2015 07:22 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.