Attribute assistance; time manipulation

Hi team,


I have an attribute value defined as,


'Mac Auth Expiry' = %{Authorization:[Time Source]:Now Plus 90 days}

(Where 'Now Plus 90 days' is an attribute defined in [Time Source].. no issues here.  That works fine.)


I want to define another attribute of 'Mac Auth Remaining Expiration' which is basically something in the order of,



'CASE WHEN Mac Auth Expiry > EPOCH FROM NOW() THEN CAST(EXTRACT(EPOCH FROM (Mac Auth Expiry - NOW())) AS INTEGER) ELSE 0 END AS Mac Auth Expiration Remaining'


SQL wise that is...


A 'remaining' leveraging EPOCH NOW minus the prior attribute.


Thoughts ?

Guru Elite

Re: [Time Source]; attribute assistance

Where is the original MAC-auth expiration defined?

Also, why not use the built-in MAC-caching logic which does not require any custom queries.

Tim Cappalli | Aruba Security TME
@timcappalli | | ACMX #367 / ACCX #480

Re: [Time Source]; attribute assistance

Type = Endpoint

Name = Mac Auth Expiry

Value = %{Authorization:[Time Source]:Now Plus 90 days}


Defined as post-auth type enforcement profile.


You mean the 'Device MAC Authentication' template ?

That has aging examples in it ?

Guru Elite

Re: [Time Source]; attribute assistance

All you have to do is compare the current time to the endpoint MAC-auth expiry attribute in either your role map or enforcement policy. No custom SQL queries are required. This is a standard set up for guest authentication but will work with anything.

Tim Cappalli | Aruba Security TME
@timcappalli | | ACMX #367 / ACCX #480

Re: [Time Source]; attribute assistance

And no existing attributes sitting in the [Endpoint Repo].. that help with MAC Caching examples.

Re: [Time Source]; attribute assistance

There is the Guest 'MAC Caching' service template that does do the basic, NOW LESS THAN '%{Endpoint:mac auth expiry}'.

But, it's basic.. and the operators are just as basic.  I.e. GREATER_THAN, GREATER_THAN_OR_EQUALS.. etc.


I want do a RADIUS 'Session-Timeout'.. so it needs to be literally, 'current set mac auth expiry minus now'..

Similar to how the guest database has the prior quoted sql to do the 'expiration'.

Re: [Time Source]; attribute assistance

I'll get the SQL built. All good.

Search Airheads
Showing results for 
Search instead for 
Did you mean: