> I see in the role mappings already a condition that sounds usefull: Certificate - not-valid-after.
> Can I do some simple calculus in the value field there? ie. IF(now > ("Certificate - not-valid-after" - 3 weeks)) THEN force captive portal
> Currently the value field won't let me do this, it seems to expect a datetime and nothing else. Any way around this?
There isn't currently a way to perform this kind of calculation in the rule editor.
However, you could use a CPPM Authorization Source to achieve a similar result. Observe that your IF expression is also equivalent to:
IF (now + 3 weeks > Certificate:not-valid-after)
So the question then becomes, how to determine the date/time of "now + 3 weeks"?
The answer is that you can do this with SQL. Try the following steps:
1. Create a new Authentication Source:
- Enter the name Time Calculator
- Select type Generic SQL DB
- Set the Cache Timeout to 0
2. On the Primary tab:
- Enter the server name localhost
- Enter the database name tipsdb
- Enter the login username appexternal
- Enter your cluster password as the login password (this is your admin password if you didn't change the cluster password separately)
- Leave other options as defaults
3. On the Attributes tab:
- Add a new filter
- Enter the filter name Three Weeks From Now
- Enter the query expression as follows
select current_timestamp + interval '3 weeks' as then;
- Create an attribute named then, with an alias name of Three Weeks From Now, set its data type to Date-Time, and enable it as an Attribute
4. Save the authentication source.
5. Enable this as an authorization source in your service(s) of interest.
Now, when you create an enforcement policy, you can specify a rule that says:
If (Authorization:Time Calculator:Three Weeks From Now GREATER_THAN %{Certificate:Not-Valid-After}) ...
and this should pretty much achieve what you are trying to do.
Even better, you can create whatever time expressions you need using the relatively straightforward SQL syntax, and give them meaningful names in the authorization source ("Three Weeks From Now" in the example above).
See these links for more on the SQL syntax you need:
For convenience, I've exported the Time Calculator authentication source and attached it to this post; the secret key is eTIPS123. Note that after importing you'll need to edit it and set the cluster password.