Security

Reply

ClearPass Time Source Now Minus 3 Days

Good morning everyone,

 

I configured ClearPass to integrate with an existing AirWatch solution. I tried configuring a condition in Role Mapping that would verify the device had checked in to AirWatch in the past 3 days from that authentication.


I went to Time Source and copied the "now_plus_1day" attribute and modified it as follows:

 

Now Plus 1 Day

SELECT (EXTRACT (EPOCH FROM NOW() + interval '1 days'))::int AS now_plus_1day;

 

Now Minus 3 Days

SELECT (EXTRACT (EPOCH FROM NOW() - interval '3 days'))::int AS now_minus_3days;

 

I also updated the Name and Alias to match. I left the Data Type as Integer. 

 

When an authentication comes through, the access tracker logs show the entry as a string of numbers and not a date/time stamp. The Last Checked In for AirWatch in the logs is a date/time stamp. Due to this it is not interpreting it the way it should and we are getting an "out of compliance" role instead of "airwatch-valid" role. 

 

Any recommendations or anything I missed to accomplish this? Would anyone have a working example?

 

Thank you.

 


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: ClearPass Time Source Now Minus 3 Days

It's likely due to the format of the timestamp.

 

Try this instead:

 

SQL query:

select localtimestamp(0)+ interval '3 days' as three_days_from_now

Then create the attribute to match.

mharing-3daysfromnow.PNG


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Time Source Now Minus 3 Days

Thanks I will give that a try, would the minus symbol work to incorporate "3 days ago" instead of "3 days from now"? 


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0

Re: ClearPass Time Source Now Minus 3 Days

Tested the string you provided, and it worked perfectly. Thank you for your help!


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
MVP

Re: ClearPass Time Source Now Minus 3 Days

Hi @mharing, I want to acomplished the same with the "Last check in" attribute, I was wondering how did you achive this, what I want to do is for example a PC last check in was 3 day ago assigned a different role and send it to a Quarentine VLAN, can you post the SQL script you used to have an example? thanks a lot.

Oscar,
“All opinions written here are my own and do not necessarily reflect the views and opinions of Aruba.”
“If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos"

Guru Elite

Re: ClearPass Time Source Now Minus 3 Days

Is your "Last Check In" attribute using epoch or human readable time?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: ClearPass Time Source Now Minus 3 Days

I would like to test both, right now I have a filter that adds the "Last Check In" attibute to authenticated machines this is the query that I'm using (Time Source)

 

select localtimestamp(0)- interval '3 days' as three_days_ago

 

Is returning this time format:

 

2017-03-09 08:33:07

Oscar,
“All opinions written here are my own and do not necessarily reflect the views and opinions of Aruba.”
“If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos"

Guru Elite

Re: ClearPass Time Source Now Minus 3 Days

So essentially, you just need an enforcement rule that says: 

 

Endpoint:Last Check In   LESS_THAN %{[Time Source]:Your Attribute}

 

You may need to flip that logic depending on what you're trying to do.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Time Source Now Minus 3 Days

I think we used the GREATER_THAN, but yes it was the exact same condition:

 

If Last Check-In to AirWatch is Greater Than 3 days ago (4 days +) Than assign role "Out of Compliance". 

 

In enforcement policy: If role = Out of Compliance than assign Quarantine VLAN/User-role.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
MVP

Re: ClearPass Time Source Now Minus 3 Days

Thanks a lot for your help, will test it that way and post resutls.

Oscar,
“All opinions written here are my own and do not necessarily reflect the views and opinions of Aruba.”
“If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos"

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: