Security

Reply
Contributor II

Guest MAC Caching - Dynamically removing endpoints from repository

Hi there,

 

We have a Guest solution, that has mainly been implemented by a 3rd party, that I'm looking to make a couple of minor adjustments too. I dont have a huge amount of Clearpass experience, so I'm trying to piece everything together to understand the current setup.

 

Our Guests are actually internal employees, who connect to the Guest SSID provided, and are subsequently presented with a splash page for authentication. They'll utilise their internal AD credentials in order to verify themselves and subsequently connect. The original design specified that after 30 days, their MAC entry in the endpoint repository would expire and they would be prompted to re-authenticate, this currently isn't happening - once a mac entry is in the repository it is not being removed and they're not being prompted to re-connect. I've had a look in to the service configured in Clearpass, and it appears to be utilising an attribute in a profile as seen in the attachment

 

Given that we're not being prompted to re-auth, is there a better way for me to configure this that will actually work?

 

Secondly, something else we'd like to build in, having some sort of background check to verify that an internal AD account that was initially used to verify that user on the Guest splash page is still valid - If the account is still live (account active / password not expired) then they're able to continue to connect by use of the cached mac, but if there are any issues with their account, then the splash page would be presented to them again, in order for them to re-validate with updated credentials.

 

Thanks in advance

 

Dan

Contributor II

Re: Guest MAC Caching - Dynamically removing endpoints from repository

Quick update to my original post. Looking at the mac address of a cached device, I can see that the MAC expiry address is being applied to my mac address, but Clearpass doesn't seem to be actioning upon in. Does anyone have any pointers on where/how I can troubleshoot this. Screenshot of the endpoint entry attached.

Re: Guest MAC Caching - Dynamically removing endpoints from repository

Can you share a screenshot of the role mapping and enforcement policy
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II

Re: Guest MAC Caching - Dynamically removing endpoints from repository

Screenshots attached as requested. For information, the SSID in use is for both external and in-house Guest, hence the multiple role configs.

 

The employee/Role ID 3 is the one for which I'm trying to resolve the MAC caching issue.

 

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: