Security

Reply
Contributor II

Clearpass - Self registration and mac caching

Hi everybody!

 

A customer asked me to set-up a self-reg portal in order to make his guests to self provision theirselves, and wait for his confirmation.

No problem...DONE! :smileyhappy:

 

My customer also asked me to limit the maximum number of devices that a single user can use simultaneously.

...ok, I'll set-up a policy with mac-caching enabled and set the limit to 1 for example.

 

I thought that'it, but I noticed that mac-caching seems to never forget the guest registered mac-address, and also waiting over 24 hours before trying to login again, my CPPM rejects the authentication saying that the registered devices number is over the maximum configured (1 in my case).

 

I need to make a guest to disconnect a device (ex his smartphone) from the network and connect with another device.

 

So, my question is: how can I set-up a timeout to flush the guest cached mac addresses in order to make a guest to change his device within a specified time window?

 

 

Sorry for bad English.... :smileytongue:

 

Thanx a lot in advance to everybody!

 

Bye!



---
Metalgalle

Re: Clearpass - Self registration and mac caching

What's the amount of time you have setup for your device to have a valid session without having to re-register ?

2014-04-16 07_29_34-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: Clearpass - Self registration and mac caching

I don't actively set-up this parameter, I used the "Guest MAC authentication" service template, and accepted default parameters except for the maximum number of devices...

 



---
Metalgalle
Contributor II

Re: Clearpass - Self registration and mac caching

So, in case this is the problem, can I set an amount of time of less then 1 day?

For example, 12 hours?



---
Metalgalle

Re: Clearpass - Self registration and mac caching

 

Using the same template there should be an option to add the amount of time as well.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: Clearpass - Self registration and mac caching

Ok, Thanx a lot!

I'll try ASAP! :-)



---
Metalgalle
Contributor II

Re: Clearpass - Self registration and mac caching

I tried to create a new service starting with "Guest MAC authentication".

 

Here' s the role policy:

Roles.JPG

 

Here's the Enforcement policy:

Enforcement.JPG

 

 

How can I obtain what you suggested?



---
Metalgalle
Contributor II

Re: Clearpass - Self registration and mac caching

Maybe I found what you mean:

Enforcement 2.JPG

 

Do you think that if I change this setting I can accomplish to the task?



---
Metalgalle
Contributor II

Re: Clearpass - Self registration and mac caching

I tried to set the time parameter to 60 seconds (for testing purposes), but also if I let pass the expiry timeout, this is the response of CPPM:

 

Result.JPG

 

And it is the same situation that I described above...it seems that CPPM does not care to the expiry timeout of the mac cache....:smileyfrustrated:



---
Metalgalle
Guru Elite

Re: Clearpass - Self registration and mac caching

Endpoints are aged out of the database after a minimum 24 hours.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: