Security

Reply
Occasional Contributor II
Posts: 16
Registered: ‎03-11-2015

ClearPass Guest Extend Expire Time

Hello,

My organization wants to extend the expire time for guest accounts by 30 days on each successful login.  This would result in a guest account remaining valid indefinitely as long as it was used within 30 days of last login and would expire if not used in 30 days.

 

I have found some examples of similar requests, but most do not have a full solution, and one suggests writing directly the database tables, which I am not excited about. 

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-rolling-expiry-timers/td-p/137181

 

I was hopeful I could accomplish this with an enforcement profile.  There is a ‘ClearPass Entity Update Enforcement’ of:

Type: Expire-Time-Update
Name: GuestUser

 

Is my goal the intent of this attribute?  If so, can someone assist me with the proper value syntax?

 

I have also attempted by creating a dictionary attribute in CPPM for the expire_time field from entity GuestUser and manipulating it via an enforcement profile with no good results. 

 

If anyone knows another/better approach to this solution, please direct me.

 

Thank you in advance.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass Guest Extend Expire Time

Do you want to do this every time the user logs in at the web login or everytime their device re-authenticates to the network (MAC-caching)? 

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 16
Registered: ‎03-11-2015

Re: ClearPass Guest Extend Expire Time

Preferably both, but if the MAC caching element makes it too complicated, could probably work with allowing MAC caching for a short period of time (day/week) and then advance expire date on next web login.

 

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass Guest Extend Expire Time

MAC caching would actually be easier and more user friendly. You can simply add a post auth enforcement profile to the MAC auth that changes the MAC-auth Expiry to "now+30d". 

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 32
Registered: ‎10-05-2010

Re: ClearPass Guest Extend Expire Time

I have a group looking for something similar to what is described.  Cappalli suggests using an enforcement profile in the Mac auth to change the "mac-auth expiry" value.  I have attempted to do this without success.  Currently running 6.6x of Clearpass and the only value allowed is an exact date and time for the attribute. Adding "now()+(n)days" does not pass the validation for the attribute.

 

error is :

Value "now()+30 days" must have hh:mm:ss format (e.g., 17:05:55) 

 

I am currently using the "Self-Validated" model by Michael Clarke and would like to work this in some how.  Any assistance would be appreciated.

 

Thanks

Search Airheads
Showing results for 
Search instead for 
Did you mean: