Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎07-14-2015

ClearPass Guest Device Change Expire Time

HI All

 

I am trying to extend a guest account expire time using an enforcement profile. My enforcement policy is "Expire-Time-Update - GuestUser = <Minutes until expiry>", but it will only let me reduce the expiry time e.g. make it sooner and not extend it. Is this by design or am I doing something wrong?

 

ClearPass is version 6.5.7

 

Thanks

 

Dave

MVP
Posts: 952
Registered: ‎04-13-2009

Re: ClearPass Guest Device Change Expire Time

[ Edited ]

Maybe try ""Expire-Time-Update - GuestUser = now+1d" to extend by 1 day for example.

 

EIDT: FYI This should be a Post_Authentication Enforcement policy that is called post sucessful Guest MAC auth.

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: ClearPass Guest Device Change Expire Time

This should definitely work. Please open a TAC case.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,322
Registered: ‎09-08-2010

Re: ClearPass Guest Device Change Expire Time

That will not work. You can only use a value in minutes.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎07-14-2015

Re: ClearPass Guest Device Change Expire Time

Thanks for the suggestion, I just tried that and it doesn't work.

If the initial value is set to 24 hours and I set the value in the enforcement profile to 600 for example, it will set the expire time to now plus 10 hours, but only if that is sooner than the original expiry time. It wont let me change the expire time from 24hours to 48 hours.

 

Thanks

 

Dave

Occasional Contributor II
Posts: 19
Registered: ‎07-14-2015

Re: ClearPass Guest Device Change Expire Time

HI Tim

 

Yep, I am using a value in minutes. I will open a case as you suggest.

 

Thanks

 

Dave

Occasional Contributor II
Posts: 19
Registered: ‎07-14-2015

Re: ClearPass Guest Device Change Expire Time

I opened a TAC case for this and the response was that this is a limitation and an enforcement policy will only update the expiry time if it is sooner than the original time, set when the device is registered.

 

My first thought was to do it using SQL, but the appexternal login doesn't have sufficient privelages to update the tips_guest_users and you can't use appadmin with an authentication source.

 

I then thought about using the API but the http authentication source wont accept custom headers so you can't include the authorization token, and doing this via an external server would just be too messy.

 

What I'm actually trying to achieve is a rolling expiry time, so the expiry time is updated to 90 days every time the device is authenticated. Has anyone managed to get this to work, I have found a few posts on the subject but it seems that all of those suggestions no longer work.

 

Thanks

 

Dave

Search Airheads
Showing results for 
Search instead for 
Did you mean: