Security

Reply
M-W
Occasional Contributor II
Posts: 14
Registered: ‎04-25-2012

BYOD Account Expiry Management

Hi All,

 

If possible, I'd like to obtain some input around the management of expiring Guest accounts within Clearpass.

 

We're currently running Aruba OS 6.3.1.16 and Clearpass 6.5.2 providing both Open and Dot1x networks for Guest and Staff BYOD users.

 

What I'd like to investigate is whether Clearpass is able to utilise Insight to look at the account lifetime and then pick out accounts which are due to expire within a week. If the match is made, upon authentication, an attribute is passed back to the controller to place the user into a role which presents them with an expiry warning web page upon initial browsing. The user can click continue on this page and is then dropped into their authenticated role and can continue browsing the internet.

 

So I guess the questions I'm looking to answer are;

 

- Can Clearpass utilise Insight in this way to allow us to pass back an attribute to place the user into this expiry role ?
- By using a captive portal profile on the expiry role, can a web page be presented to the user that can then provide a link to allow the user to continue working?
- Could this be tied into an Open Network and a Dot1x network?

 

Any thoughts on this would be greatly appreciated. If i'm missing something quite obvious that would stop this in it's infancy please do let me know. Just in case I'm going down a bit of a rabbit hole here!

MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: BYOD Account Expiry Management

If you look at your Access Tracker > Input >Computed Attributes 

 

And use the  GuestUser: "do_expire" / "expire_postlogin" attribute to make the decisions you are looking to make in your Enforcement Policy to return a different role based on that criteria

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
M-W
Occasional Contributor II
Posts: 14
Registered: ‎04-25-2012

Re: BYOD Account Expiry Management

Hi Victor,

 

Thank you for your response. Looking at these attributes, I'm unsure whether they could be used to highlight an account which is due to expire in 1 week's time. Is that entirely possible or would this have to be done using another method (if possible at all)?

MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: BYOD Account Expiry Management

My bad gave you the wrong info.

 

But if you use the RemainingExpiration time (Based in Seconds) you can use this information to make the decision to send the a new role:

Note: Make sure you add the Guest User Repository as an Authorization Source 

Screen Shot 2015-10-28 at 10.36.47 AM.png

Screen Shot 2015-10-28 at 10.36.28 AM.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
M-W
Occasional Contributor II
Posts: 14
Registered: ‎04-25-2012

Re: BYOD Account Expiry Management

 

Ah that certainly looks like something we can make use of. Thank you!

 

Do you have any thoughts on using a second landing page to advise the user of the upcoming expiry? My thoughts are the 'expiry' role will have a captive portal profile assigned that directs the user to a page on Clearpass. They would need to accept a message on this page to continue browsing, and by doing that would be placed into an authenticated role.

MVP
Posts: 4,225
Registered: ‎07-20-2011

Re: BYOD Account Expiry Management

Yes , the role you will return needs to have its own Captive Portal Profile pointing to the new page .

You can create a Web Login just using an Anonymous account
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: