Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Attribute assistance; time manipulation

This thread has been viewed 7 times

  • 1.  Attribute assistance; time manipulation

    Posted Oct 01, 2016 09:10 AM

    Hi team,

     

    I have an attribute value defined as,

     

    'Mac Auth Expiry' = %{Authorization:[Time Source]:Now Plus 90 days}

    (Where 'Now Plus 90 days' is an attribute defined in [Time Source].. no issues here.  That works fine.)

     

    I want to define another attribute of 'Mac Auth Remaining Expiration' which is basically something in the order of,

     

    \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    'CASE WHEN Mac Auth Expiry > EPOCH FROM NOW() THEN CAST(EXTRACT(EPOCH FROM (Mac Auth Expiry - NOW())) AS INTEGER) ELSE 0 END AS Mac Auth Expiration Remaining'

    \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

    SQL wise that is...

     

    A 'remaining' leveraging EPOCH NOW minus the prior attribute.

     

    Thoughts ?



  • 2.  RE: Attribute assistance; time manipulation

    EMPLOYEE
    Posted Oct 01, 2016 09:18 AM
    Where is the original MAC-auth expiration defined?

    Also, why not use the built-in MAC-caching logic which does not require any custom queries.


  • 3.  RE: Attribute assistance; time manipulation

    Posted Oct 01, 2016 09:28 AM

    Type = Endpoint

    Name = Mac Auth Expiry

    Value = %{Authorization:[Time Source]:Now Plus 90 days}

     

    Defined as post-auth type enforcement profile.

     

    You mean the 'Device MAC Authentication' template ?

    That has aging examples in it ?



  • 4.  RE: Attribute assistance; time manipulation

    EMPLOYEE
    Posted Oct 01, 2016 09:31 AM
    All you have to do is compare the current time to the endpoint MAC-auth expiry attribute in either your role map or enforcement policy. No custom SQL queries are required. This is a standard set up for guest authentication but will work with anything.


  • 5.  RE: Attribute assistance; time manipulation

    Posted Oct 01, 2016 09:55 AM

    There is the Guest 'MAC Caching' service template that does do the basic, NOW LESS THAN '%{Endpoint:mac auth expiry}'.

    But, it's basic.. and the operators are just as basic.  I.e. GREATER_THAN, GREATER_THAN_OR_EQUALS.. etc.

     

    I want do a RADIUS 'Session-Timeout'.. so it needs to be literally, 'current set mac auth expiry minus now'..

    Similar to how the guest database has the prior quoted sql to do the 'expiration'.



  • 6.  RE: Attribute assistance; time manipulation

    Posted Oct 01, 2016 09:56 AM

    I'll get the SQL built. All good.



  • 7.  RE: Attribute assistance; time manipulation

    Posted Oct 23, 2018 02:15 PM

    Any advancement on this?  i'm looking to do this with a session timer as well.  Mac-Auth Expiry minus now converted to integer for a switch session timer.



  • 8.  RE: Attribute assistance; time manipulation

    Posted Oct 25, 2018 04:30 PM

    Have you tried

     

    Radius:IETF Session-Timout = %{Authorization:[Guest User Repository]:RemainingExpiration]}

     

    This is the default guest session timeout profile.



  • 9.  RE: Attribute assistance; time manipulation

    Posted Oct 01, 2016 09:31 AM

    And no existing attributes sitting in the [Endpoint Repo].. that help with MAC Caching examples.