Security

Hello everybody.

 

I'm probably being a bit lazy, but I suspect somebody knows where the info is for this...

 

Assume a scenario, where I want to update a guest user/device expiry timer each time they re-connect. I.e. A guest connects and is approved/authenticated. We're doing mac-caching too by the way. They initially get created with 1 month's access. I'm good with this setup (I.e. I know how to do it). Normally, the account lasts a month obviously.

 

So, as an extension, assume that 5 days later, the user/device reconnects and is mac-auth'd. At that point, what I want to do, is reset their account to 1 month again. In other words, as long as they use the device within that 1 month, it keeps updating to have another month into the future. If they don't connect during the month, obviously the accounts (user and device) age out as normal.

 

Has anybody done this? I'm expecting it to be achievable by way of an enforcement profile? Just unsure what the variables and syntax should be?

 

I have done a deployment recently where the customer wanted the expiry time of the guest accounts to be automatically updated each time the user logged in (for example: expire time = current-time + 90 days)

 

This involved having to define a custom authentication source where we would execute a SQL UPDATE query to the local database in ClearPass.

 

This solution is a bit hackerish and is probably not supported by Aruba :). If you want I can share these SQL queries.

 

Also, for MAC-caching we are binding an endpoint directly to the guest account; we have also made some custom SQL queries for this cause since ClearPass does not do this out-of-the-box.

From what you've written, am I right in thinking you achieved all this within the Clearpass setup? I.e. you didn't need another external component/server/database for the SQL part?

 

I'd be interested to see how you did it yes please. Note I'm not an SQL guru by any means!

 

Not so worried about the support of it officially, I can bridge this gap if needed. ;-)

 

Thanks.

Big warning on using SQL queries in your config: the database schema CAN CHANGE. If ClearPass ships updates these SQL queries might break. Use at your own risk.

 

Database schema, remote access

You can access the ClearPass database with the "appexternal" account (you can set this password under "cluster wide parameters" in the server configuration). Then use a program like pgAdmin (postgres admin) to create a connection.

 

MAC caching: bind guest user to endpoint

If you want to use MAC caching and bind the endpoint directly to the guest account follow these steps. This means when the guest account is disabled or expired, the MAC authentication will fail as well.

 

1) Create new Authentication Source, Name = MAC_caching, Type = Generic SQL DB, Server = localhost, database = tipsdb, login = appadmin, driver = postgres

2) Add new filter in authentication source:

- Filter name: Authentication

- Filter query:

 

SELECT mac_address AS User_Password,
CASE WHEN tips_guest_users.enabled = FALSE THEN 225
WHEN ((tips_guest_users.start_time > now()) OR ((tips_guest_users.expire_time is not null) AND (tips_guest_users.expire_time <= now()))) THEN 226
WHEN tips_guest_users.approval_status != 'Approved' THEN 227
ELSE 0
END AS Account_Status, tips_guest_users.sponsor_name,
CAST(EXTRACT(epoch FROM (tips_guest_users.expire_time - NOW())) AS INTEGER) AS remaining_expiration
FROM tips_endpoints_attr_view INNER JOIN tips_guest_users ON tips_endpoints_attr_view.tag_value=tips_guest_users.user_id
WHERE tips_endpoints_attr_view.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')

 

Attributes:

- Name: remaining_expiration

- Alias: remaining_expiration

- Data type: Integer

 

3) Create a MAC authenitcation service where the above authentication source is used as the authentication source

4) In the enforcement policy you can have a generic accept policy (like day of the week), make sure you have a enforcement profile in place that will return remaining_expiration in the RADIUS - IETF - Session-Timeout attribute. Use %{Authentication:MAC_cache:remaining_expiration} as the value for this.

5) For the captive portal service make sure you have a post_authentication enforcement profile in place which will update the endpoint with the guest username during captive portal login

 

Dynamic expire time update

If you want to update the expire-time during each login you can do this by creating a new authentication source (same method as described above). Use this authentication source as an authorization source in your service. See attached screenshot for the setings. SQL queries for this:

 

SELECT NOW() + INTERVAL '90 days' as new_expire_time;
update tips_guest_users set expire_time = NOW() + INTERVAL '90 days' where user_id = '%{Authentication:Username}'

 

Please note above will update the expire time based on the username, this will only work if you know the username during authentication (thus for captive portal login or 802.1X).

 

If you want to update the expire time based on the related MAC adres you can use this query:

 

UPDATE tips_guest_users SET expire_time = NOW() + INTERVAL '90 days'
FROM tips_endpoints_attr_view WHERE tips_endpoints_attr_view.tag_value=tips_guest_users.user_id AND tips_endpoints_attr_view.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}');

 

Very interesting. I'll give it a try when rolling out. Thanks for the tips.

 

I won't ask for a deep techy dive on this, I'll drive it past by SQL guys to see if they can explain it to me!

 

Thanks again.

I recently worked with TAC to solve this very problem. It is not possible to do this with a simple post-auth enforcement profile utilizing the Expire-Time-Update attribute as I had originally thought, Clearpass will only let you reduce the expire_time with this attribute, not extend it.  However, you can effectively extend the expire_time by performing a SQL query or an internal API call.  We chose the API call route as its a bit more straightforward, you will need to set up an HTTP Context Server Action Dictionary and then reference that in an Enforcement Profile.  You will also need to add a Time Source filter that matches the time you want to extend by (Now Plus 30days) and add the Time Source as an authorization source in your service.  In my case I extended expiration by 1 year, here's how i did it:


1) Create a Time Source filter for the time period you want to extend by


2) Create a context server dictionary entry to perform the API action:




3) Create an enforcement profile that references this dictionary entry to perform the action.





Original Message:
Sent: Feb 03, 2014 10:04 AM
From: Jake Cornford
Subject: Clearpass rolling expiry timers

Hello everybody.

 

I'm probably being a bit lazy, but I suspect somebody knows where the info is for this...

 

Assume a scenario, where I want to update a guest user/device expiry timer each time they re-connect. I.e. A guest connects and is approved/authenticated. We're doing mac-caching too by the way. They initially get created with 1 month's access. I'm good with this setup (I.e. I know how to do it). Normally, the account lasts a month obviously.

 

So, as an extension, assume that 5 days later, the user/device reconnects and is mac-auth'd. At that point, what I want to do, is reset their account to 1 month again. In other words, as long as they use the device within that 1 month, it keeps updating to have another month into the future. If they don't connect during the month, obviously the accounts (user and device) age out as normal.

 

Has anybody done this? I'm expecting it to be achievable by way of an enforcement profile? Just unsure what the variables and syntax should be?