Security

Hi Guys,

I have to questions:

1

How to limit the expiration time of each guest user ? | each guest the create a user - the cppm showing that is for 24 hours...i want to do it for 1 hour.

2

I would like that the device of the guest user will be able to relogin again only after 24 hours since first login

 

 

Any assistance will be very appreciate.

 

Thanks in advance.

Me

 

 

 

 

 

 

1. Are you referring to self-registered guests?  If so, you need to edit (or change) the value of the field in the guest_register form.  There is a default field called expire_after.  The default value of this field is 24 hours.  You can either change this value or create a new field and substitute your new field for thie expire_after field in teh guest_register form.

 

2. To clarify your question.  Do you want the device to have to wait 24 hours before being able to get back on?  Or are you looking to set it so it caches the devices for 24 hours before it makes them re-register?

Hi

 

1. Thanks - already figure it our by myself - but thanks!

2.Yep,i would like that device will have to wait 24 hours in order to be able to re-register / login to the service aftter the first 1 hour had over.

 

please advise.

clembo.. any answer on "2" ?

Kdisc,

 

You can set the auto_account_update attribute to zero in the Configuration> Guest self registration> Edit> Register Page form.

 

That will keep a user from being able to modify his own existing account until the account's lifetime is over.  If the account's lifetime is 24 hours, it will be removed from ClearPass after 24 hours and after that time, the user will be able to create another account.  That is separate from the account expiry, which says how long the user will be able to actually login.  In this example you would have the expiry set to 1 hour and the lifetime set to 24 hours.  Please see the post here:  http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Guest-Self-Registration-question/td-p/52058

 

 

 

cjoseph - just to be more understood:
i don't want that the same device will be able to create another user (or use the same user he built after the 1 hour expiry passing ) - until 24 hours will pass - can it be achived with your idea?

kdisc,

 

My "idea" is only limits users based on a user account.  If you have users tied to a specific email, it will work.  If you want to lock specific mac addresses down, please consider Clembo's solution.

 

cjoseph

Lets say i have an ipad and i register username: kdisc98 email: kdisc98@boom.com ... And 1 hour passing , i can re-register my device with username: kdisc982 email: kdisc98@boomboom.com .. And continue using the service....

 

I would like to prevent this behavior - that's why i want to block the user device after 1 hour of use each 24 hours.
(The username / email aren't important - because it's self provisioned accounts...)

Hi Guys...

 

Still dosnet work... i configure the 1 hour expiry <-this is working great!

but after 1 hour the same device can relogin with diffrent/new username ...and i dont want him to able to do it (each user can login in for 1 hour each 24 hours)

 

please advise - i must solve this issue today.

I am trying to do this, too.  Did you every get an answer and/or this figured out?

EDIT:

Posted after cjoseph's suggestion.    Will leave for reference.

 

As for #2; I have not done this personally, but you may be able to do it given some of the ClearPass tools.

 

1. First, you'll need to make sure that when a guest account is created, the MAC address is passed, created, and linked to the guest.    You need to add the mac and mac_auth fields to the guest_register form.   Do a quick search in the help for "Creating Devices During Self-Registration - MAC Only"
2. Then you can use the Role Mapping policies to configure a a role (which can then be tied to some deny role or whatever) that looks at the Guest User DB and checks the RemainingExpiration value (see below)
3. You may have to couple this with an AAA profile that uses both CP and MAC authentication.

 

clembo,cjoseph - thanks on all the great tips/info - i will check it first thing tomorrow morning in the lab - and update u in the results.

Me.