Security

HI 

 

I have a customer with clearpass guest with Mac Caching. When user account expires, the endpoint is still present in Clearpass - so the next time the guest logs in - the guest user is expired, but endpoint still present so the guest is MAC authenticated, but since guest user account is disabled station is still in network not getting an IP, rather than being redirected to captive portal. 

 

Shouldn't endpoint be deleted when cache and guest user account expires? 

The MAC address won’t be deleted from the endpoint DB and it shouldn’t impact the decision to redirect the user but it depends on how you have your enforcement policy.

Can you share your role mapping and enforcement policy?



Thank you

Pardon typos sent from Mobile

Hi

 

thanks for getting back to me. Just had a session going through the setup on Clearpass and there a couple of things. And - you're correct - some of it originated from Enforcement Profile.

 

1. the MAC auth enforcement policy was correct, apart from that ROLE MAPPING for guest had an enforcement profile giving the station an non-existing Aruba User Role - so the aruba role giving Captive Portal access wasn't added and user was placed in a default user role with no CP

 

2. When that was fixed we noticed that the initial role in Aruba Controller had the wrong CP Profile added - wizard had changed this; so default guest user role was added rather than the customized guest role

 

WIth those two tweaks - it worked

lessons learned

 

thank you

I think Aruba expects you would use the Known Endpoints Cleanup to remove those records. The interval is based on when the Known Endpoint record was last modified.

 

We cannot currently do that so I made a REST API script that I run manually to cleanup old Guest Endpoints. It checks all Known Endpoints. If there is a Guest-Role-ID attribute, it checks to see of the Guest Account exists. If the Guest Account does not exist, it deletes the Endpoint.

can you share the script that you wrote?  I'm facing the similar challenges and need a mechanism (programmatic access) to delete guest endpoints.

I just quickly threw this together. As mentioned, I did "best guess" on the operator profile access. It is a little rough, but it works for us.

 

Please let me know if I need to adjust anything.

 

cool, I always want to do some real API call to clearpass, you have provide a good example for that. let me check them out.  thx

---

@aphuang2015 wrote:

cool, I always want to do some real API call to clearpass, you have provide a good example for that. let me check them out.  thx

---

I know most networking stuff is happening in Python right now but I acrually started with the eTIPs API using a proof of concept from Avenda thet moved over to Aruba when they bought eTIPs. I just tend to adjust as needed.

Laziness, I giess.