Security

Reply
MVP
Posts: 1,408
Registered: ‎05-28-2008

How to limit the expiration time of each guest user ? |

Hi Guys,

I have to questions:

1

How to limit the expiration time of each guest user ? | each guest the create a user - the cppm showing that is for 24 hours...i want to do it for 1 hour.


2

I would like that the device of the guest user will be able to relogin again only after 24 hours since first login

 

 

Any assistance will be very appreciate.

 

Thanks in advance.


Me

 

 

 

 

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: How to limit the expiration time of each guest user ? |

1. Are you referring to self-registered guests?  If so, you need to edit (or change) the value of the field in the guest_register form.  There is a default field called expire_after.  The default value of this field is 24 hours.  You can either change this value or create a new field and substitute your new field for thie expire_after field in teh guest_register form.

 

2. To clarify your question.  Do you want the device to have to wait 24 hours before being able to get back on?  Or are you looking to set it so it caches the devices for 24 hours before it makes them re-register?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: How to limit the expiration time of each guest user ? |

Hi

 

1. Thanks - already figure it our by myself - but thanks!

2.Yep,i would like that device will have to wait 24 hours in order to be able to re-register / login to the service aftter the first 1 hour had over.

 

please advise.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: How to limit the expiration time of each guest user ? |

clembo.. any answer on "2" ?
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: How to limit the expiration time of each guest user ? |

Kdisc,

 

You can set the auto_account_update attribute to zero in the Configuration> Guest self registration> Edit> Register Page form.

 

That will keep a user from being able to modify his own existing account until the account's lifetime is over.  If the account's lifetime is 24 hours, it will be removed from ClearPass after 24 hours and after that time, the user will be able to create another account.  That is separate from the account expiry, which says how long the user will be able to actually login.  In this example you would have the expiry set to 1 hour and the lifetime set to 24 hours.  Please see the post here:  http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Guest-Self-Registration-question/td-p/52058

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: How to limit the expiration time of each guest user ? |

[ Edited ]

EDIT:

Posted after cjoseph's suggestion.    Will leave for reference.

 

As for #2; I have not done this personally, but you may be able to do it given some of the ClearPass tools.

 

  1. First, you'll need to make sure that when a guest account is created, the MAC address is passed, created, and linked to the guest.    You need to add the mac and mac_auth fields to the guest_register form.   Do a quick search in the help for "Creating Devices During Self-Registration - MAC Only"
  2. Then you can use the Role Mapping policies to configure a a role (which can then be tied to some deny role or whatever) that looks at the Guest User DB and checks the RemainingExpiration value (see below)
  3. You may have to couple this with an AAA profile that uses both CP and MAC authentication.

 cp-guest-expiry-policy.jpg

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: How to limit the expiration time of each guest user ? |

clembo,cjoseph - thanks on all the great tips/info - i will check it first thing tomorrow morning in the lab - and update u in the results.

Me.
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: How to limit the expiration time of each guest user ? |

cjoseph - just to be more understood:
i don't want that the same device will be able to create another user (or use the same user he built after the 1 hour expiry passing ) - until 24 hours will pass - can it be achived with your idea?
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: How to limit the expiration time of each guest user ? |

kdisc,

 

My "idea" is only limits users based on a user account.  If you have users tied to a specific email, it will work.  If you want to lock specific mac addresses down, please consider Clembo's solution.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: How to limit the expiration time of each guest user ? |

cjoseph

Lets say i have an ipad and i register username: kdisc98 email: kdisc98@boom.com ... And 1 hour passing , i can re-register my device with username: kdisc982 email: kdisc98@boomboom.com .. And continue using the service....

 

I would like to prevent this behavior - that's why i want to block the user device after 1 hour of use each 24 hours.
(The username / email aren't important - because it's self provisioned accounts...)

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Search Airheads
Showing results for 
Search instead for 
Did you mean: