Home > Community > Technology > Security > Clearpass - Self registration and mac caching

Security

Reply
Topic Options
metalgalle
Contributor II
metalgalle
Posts: 39
Registered: ‎02-17-2014

Clearpass - Self registration and mac caching

Options

‎04-16-2014 02:31 AM

Hi everybody!

 

A customer asked me to set-up a self-reg portal in order to make his guests to self provision theirselves, and wait for his confirmation.

No problem...DONE! :smileyhappy:

 

My customer also asked me to limit the maximum number of devices that a single user can use simultaneously.

...ok, I'll set-up a policy with mac-caching enabled and set the limit to 1 for example.

 

I thought that'it, but I noticed that mac-caching seems to never forget the guest registered mac-address, and also waiting over 24 hours before trying to login again, my CPPM rejects the authentication saying that the registered devices number is over the maximum configured (1 in my case).

 

I need to make a guest to disconnect a device (ex his smartphone) from the network and connect with another device.

 

So, my question is: how can I set-up a timeout to flush the guest cached mac addresses in order to make a guest to change his device within a specified time window?

 

 

Sorry for bad English.... :smileytongue:

 

Thanx a lot in advance to everybody!

 

Bye!



---
Metalgalle
Alert a Moderator
Message 1 of 13 (3,261 Views)
Reply
0 Kudos
MVP MVP
MVP
Victor Fabian
Posts: 4,301
Registered: ‎07-20-2011

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 04:30 AM

What's the amount of time you have setup for your device to have a valid session without having to re-register ?

2014-04-16 07_29_34-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Alert a Moderator
Message 2 of 13 (3,244 Views)
Reply
0 Kudos
metalgalle
Contributor II
metalgalle
Posts: 39
Registered: ‎02-17-2014

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 04:40 AM

I don't actively set-up this parameter, I used the "Guest MAC authentication" service template, and accepted default parameters except for the maximum number of devices...

 



---
Metalgalle
Alert a Moderator
Message 3 of 13 (3,242 Views)
Reply
0 Kudos
metalgalle
Contributor II
metalgalle
Posts: 39
Registered: ‎02-17-2014

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 04:44 AM

So, in case this is the problem, can I set an amount of time of less then 1 day?

For example, 12 hours?



---
Metalgalle
Alert a Moderator
Message 4 of 13 (3,242 Views)
Reply
0 Kudos
MVP MVP
MVP
Victor Fabian
Posts: 4,301
Registered: ‎07-20-2011

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 04:58 AM

 

Using the same template there should be an option to add the amount of time as well.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Alert a Moderator
Message 5 of 13 (3,237 Views)
Reply
0 Kudos
metalgalle
Contributor II
metalgalle
Posts: 39
Registered: ‎02-17-2014

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 05:02 AM

Ok, Thanx a lot!

I'll try ASAP! :-)



---
Metalgalle
Alert a Moderator
Message 6 of 13 (3,234 Views)
Reply
0 Kudos
metalgalle
Contributor II
metalgalle
Posts: 39
Registered: ‎02-17-2014

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 05:12 AM

I tried to create a new service starting with "Guest MAC authentication".

 

Here' s the role policy:

Roles.JPG

 

Here's the Enforcement policy:

Enforcement.JPG

 

 

How can I obtain what you suggested?



---
Metalgalle
Alert a Moderator
Message 7 of 13 (3,230 Views)
Reply
0 Kudos
metalgalle
Contributor II
metalgalle
Posts: 39
Registered: ‎02-17-2014

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 05:19 AM

Maybe I found what you mean:

Enforcement 2.JPG

 

Do you think that if I change this setting I can accomplish to the task?



---
Metalgalle
Alert a Moderator
Message 8 of 13 (3,229 Views)
Reply
0 Kudos
metalgalle
Contributor II
metalgalle
Posts: 39
Registered: ‎02-17-2014

Re: Clearpass - Self registration and mac caching

[ Edited ]
Options

‎04-16-2014 05:45 AM - edited ‎04-16-2014 05:51 AM

I tried to set the time parameter to 60 seconds (for testing purposes), but also if I let pass the expiry timeout, this is the response of CPPM:

 

Result.JPG

 

And it is the same situation that I described above...it seems that CPPM does not care to the expiry timeout of the mac cache....:smileyfrustrated:



---
Metalgalle
Alert a Moderator
Message 9 of 13 (3,224 Views)
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli
Posts: 8,633
Registered: ‎09-08-2010

Re: Clearpass - Self registration and mac caching

Options

‎04-16-2014 05:53 AM

Endpoints are aged out of the database after a minimum 24 hours.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Alert a Moderator
Message 10 of 13 (3,221 Views)
Reply
0 Kudos
Search Airheads
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2017 Hewlett Packard Enterprise Development LP
Powered by Lithium