Security

Reply
MVP
Posts: 77
Registered: ‎03-09-2015

Attribute assistance; time manipulation

[ Edited ]

Hi team,

 

I have an attribute value defined as,

 

'Mac Auth Expiry' = %{Authorization:[Time Source]:Now Plus 90 days}

(Where 'Now Plus 90 days' is an attribute defined in [Time Source].. no issues here.  That works fine.)

 

I want to define another attribute of 'Mac Auth Remaining Expiration' which is basically something in the order of,

 

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

'CASE WHEN Mac Auth Expiry > EPOCH FROM NOW() THEN CAST(EXTRACT(EPOCH FROM (Mac Auth Expiry - NOW())) AS INTEGER) ELSE 0 END AS Mac Auth Expiration Remaining'

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

SQL wise that is...

 

A 'remaining' leveraging EPOCH NOW minus the prior attribute.

 

Thoughts ?

Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: [Time Source]; attribute assistance

[ Edited ]
Where is the original MAC-auth expiration defined?

Also, why not use the built-in MAC-caching logic which does not require any custom queries.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 77
Registered: ‎03-09-2015

Re: [Time Source]; attribute assistance

Type = Endpoint

Name = Mac Auth Expiry

Value = %{Authorization:[Time Source]:Now Plus 90 days}

 

Defined as post-auth type enforcement profile.

 

You mean the 'Device MAC Authentication' template ?

That has aging examples in it ?

Guru Elite
Posts: 8,338
Registered: ‎09-08-2010

Re: [Time Source]; attribute assistance

All you have to do is compare the current time to the endpoint MAC-auth expiry attribute in either your role map or enforcement policy. No custom SQL queries are required. This is a standard set up for guest authentication but will work with anything.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 77
Registered: ‎03-09-2015

Re: [Time Source]; attribute assistance

And no existing attributes sitting in the [Endpoint Repo].. that help with MAC Caching examples.

MVP
Posts: 77
Registered: ‎03-09-2015

Re: [Time Source]; attribute assistance

[ Edited ]

There is the Guest 'MAC Caching' service template that does do the basic, NOW LESS THAN '%{Endpoint:mac auth expiry}'.

But, it's basic.. and the operators are just as basic.  I.e. GREATER_THAN, GREATER_THAN_OR_EQUALS.. etc.

 

I want do a RADIUS 'Session-Timeout'.. so it needs to be literally, 'current set mac auth expiry minus now'..

Similar to how the guest database has the prior quoted sql to do the 'expiration'.

MVP
Posts: 77
Registered: ‎03-09-2015

Re: [Time Source]; attribute assistance

I'll get the SQL built. All good.

Search Airheads
Showing results for 
Search instead for 
Did you mean: