Security

I have Guest MAC caching and authentication working.  I want to keep a guest from being able to MAC authenticate if their guest account has been disabled.  Since the Guest MAC Auth service only checks the Insight and Endpointpoint Repository, it can't determine the status of the Guest account.  Is it possible to somehow correlate the device with the guest so the guest account can be verified during Guest MAC auth?  If not, the only solution I've found is to change the device to "uknnown", which will cause the MAC Auth authentication method to fail.

Hi,

This was fixed in 6.1 by way of an SQL Query source. It is configured automatically when you use the Service Template called Guest MAC Authentication.

When you use the Guest MAC Authentication, it will create two sources. Here is a photo of the one you need to add as an Authorization Source:

Note the attributes tab for this source, we will use that info later in our Enforcement Policy:

I believe in 6.1.2 we added the "expire_time is null" to this query, which basically means that we are going to allow MAC Caching for guest accounts that never expire.

Then, after adding this source in as an Authorization Source in your MAC Caching service, you need to take advantage of the checks. Here is how you do that:

My example here is doing MAC Caching for 7 days. You can see the first rule is checking that UserName EXISTS from the query above. That UserName is the Alias Name which is the alias for the guest_device_user which is being returned from the SQL query, if it is able to find it using the query.

This is probably WAY more information than you wanted. Hope you find it helpful.

Zach

Perfect!  Now, disabling the guest account results in the policy manager failing to get the username attribute and fails MAC auth.  Exactly what I needed.  Thank you!