Security

Reply
MVP
Posts: 1,408
Registered: ‎05-28-2008

Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

Hi Guys,

I would like to build a service under CPPM that will allow each MAC ADDRESS that self registering to login to the serive for 1 hour each 24 hours. (each day) - if the client will try to re-register on the same day with same device (MAC ADDRESS) i want cppm to reject it.

 

Anyone can advise me how to acomplish that? im stuck on this for more than a week - with no success.

i did some reading here:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Guest-MAC-Caching-Deny-Disabled-Guests/td-p/114909

 

 

Thanks in advance,

 

me

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor II
Posts: 117
Registered: ‎02-26-2010

Re: Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

i've an open ticket on a similar config and the support is still working on it.

 

 

Andrea Consadori
ACMP 5.0 and 6.3


-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

Also here (Also opend a TAC ticket)

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

What type of NAS are you doing with this? 

 

is this for an open-SSID? or a secured?

Are you wanting to DENY the user on the MAC-Check service or during a captive-portal authenticaiton?

 

 

you should be able to do this when some configurations.

MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

What type of NAS are you doing with this?

 

Aruba Controller.

 

is this for an open-SSID? or a secured?

 

Open.

 

Are you wanting to DENY the user on the MAC-Check service or during a captive-portal authenticaiton?

 

I would like to deny the ability of user to re-use the same device(MAC)  after 30min per day. (dosent matter the username he is entering or creating )

 

you should be able to do this when some configurations.

 

i hope so..but so far im stuck. :( :(

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

Such An odd request.. Don't know what sector your company is in. So you basically only want to give a device access for 30min per day (resets at midnight) after user completes a captive portal form?

So if I'm correct you should be able to use the insight database for this.

I apologize for not having the exact info in here I'll try to post exact tomorrow.

You should be able to use the logon count variable > 1 and then use insight mins since auth less than 30.

I'm not sure how strick you want to be but you might need some enforcement policy's that dynamically update time left.

Might need some more custom code if this isn't quite what your looking for.
MVP
Posts: 226
Registered: ‎03-03-2011

Re: Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

OK so this is mostly theory so no screenshots but try the following......

 

Self registration page creates accounts with a logon lifetime of 1 hour.

Amend the Clearpass service so that upon successful logon (after the self registration) the Endpoint entry is updated (in an Enforcement profile) with an attribute to say they have used their quota. (You would need to add this attribute under the Administration -> Dictionaries -> Attributes section for the Endpoint entity).

The Clearpass service which allows the login is amended to check that the attribute doesn't exist before allowing access. If it does exist you know the MAC address has been used previously and is rejected.

You would then need to amend the Cleanup intervals for known/unknown Endpoints (depending on whether you make them known or not) to 1 day so that they are cleared overnight allowing the same MAC to create an account the next day.

 

There is probably a floor to this so let us know if this doesn't fit the model.

David
ACDX #98 | ACMP | ACCP
Frequent Contributor II
Posts: 117
Registered: ‎02-26-2010

Re: Clearpass / CPPM Guest - how to allow user device (MAC address) 1 hour per day?

[ Edited ]

If you want to use bw limit other than time limit take care of the following

There is bug already opened for the issue “CoA not triggered for users reaching the BW limit” and issue is going to fix in 6.3.2 as per the engineering update. Bug number for your reference is 23058

Andrea Consadori
ACMP 5.0 and 6.3


-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: