Security

Reply
Occasional Contributor II

ClearPass Guest Extend Expire Time

Hello,

My organization wants to extend the expire time for guest accounts by 30 days on each successful login.  This would result in a guest account remaining valid indefinitely as long as it was used within 30 days of last login and would expire if not used in 30 days.

 

I have found some examples of similar requests, but most do not have a full solution, and one suggests writing directly the database tables, which I am not excited about. 

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-rolling-expiry-timers/td-p/137181

 

I was hopeful I could accomplish this with an enforcement profile.  There is a ‘ClearPass Entity Update Enforcement’ of:

Type: Expire-Time-Update
Name: GuestUser

 

Is my goal the intent of this attribute?  If so, can someone assist me with the proper value syntax?

 

I have also attempted by creating a dictionary attribute in CPPM for the expire_time field from entity GuestUser and manipulating it via an enforcement profile with no good results. 

 

If anyone knows another/better approach to this solution, please direct me.

 

Thank you in advance.

Guru Elite

Re: ClearPass Guest Extend Expire Time

Do you want to do this every time the user logs in at the web login or everytime their device re-authenticates to the network (MAC-caching)? 

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass Guest Extend Expire Time

Preferably both, but if the MAC caching element makes it too complicated, could probably work with allowing MAC caching for a short period of time (day/week) and then advance expire date on next web login.

 

Guru Elite

Re: ClearPass Guest Extend Expire Time

MAC caching would actually be easier and more user friendly. You can simply add a post auth enforcement profile to the MAC auth that changes the MAC-auth Expiry to "now+30d". 

Sent from Nine

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: ClearPass Guest Extend Expire Time

I have a group looking for something similar to what is described.  Cappalli suggests using an enforcement profile in the Mac auth to change the "mac-auth expiry" value.  I have attempted to do this without success.  Currently running 6.6x of Clearpass and the only value allowed is an exact date and time for the attribute. Adding "now()+(n)days" does not pass the validation for the attribute.

 

error is :

Value "now()+30 days" must have hh:mm:ss format (e.g., 17:05:55) 

 

I am currently using the "Self-Validated" model by Michael Clarke and would like to work this in some how.  Any assistance would be appreciated.

 

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: