Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Clearpass Guest device expiration update

Is it possible to update a clearpass guest device registration, expire date, from policy manager.

 

Right Now I have the expiration set to 1 year after registration when they register.  What I would like to do is update the date every time they connect so it is 6 months after last connection.  This way as long as they are using the device it never expires.  But if they leave, it gets removed after 6 months.

 

I have not found a way to update the update that field in a post authentication profile.  I assume I am not the only one who wants to do this?

Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Clearpass Guest device expiration update

I don't think this is possible directly with a post_auth update, however you could probably leverage the guest API to do the update. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Re: Clearpass Guest device expiration update

I haven't played with the guest api, is there doc that you can point me at that explains how to use it?

How would you trigger it? can you trigger a "script" or api call in post authentication?

Maybe another way at this is to update the endpoint upon each connect and every 6 months run a script to pull the
endpoint last connect dates and update the guest devices expiration via the guest api? I guess that depends on if the
cpmm has an api to access the endpoints.
Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Clearpass Guest device expiration update

I don't have a doc but I will test it for you later today. 

You essentially create an external context server with actions tied to it. The action in this case would be to update the expiration time. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Clearpass Guest device expiration update

There is actually a post_auth update that will accomplish this without using the API. Configure an enforcement profile like below and add it to the appropriate rules in MAC-auth enforcement policy.

 

expire-time-update-6m.PNG

 

 

Note that the value is in minutes.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Re: Clearpass Guest device expiration update

Yes, but isn't that the guest user (Ie Account)? I want the guest device.
Guru Elite
Posts: 8,320
Registered: ‎09-08-2010

Re: Clearpass Guest device expiration update

A device is a guest user account of type DEVICE.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Re: Clearpass Guest device expiration update

Tim,

 

  that seems to work perfectly.   Thanks for all the help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: