Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎03-27-2012

How to set Expiration-time for a guest

Hi all, I'd need to know if is possible to set an expiration time (relative as hours/minutes or absolute as a datetime) for a guest user authenticated by RADIUS. I've checked and found an "Expiration" attribute among radius-attributes supported (#show aaa radius-attributes): this attribute is defined with a type "Date" and is 21-bytes long.

Can I define it on my RADIUS server and pass it back to the controller in order to set an expiration datetime on a guest-user basis?

How this field must be formatted/structured?

Thanks in advance for your help.

 

 

 

Guru Elite
Posts: 7,870
Registered: ‎09-08-2010

Re: How to set Expiration-time for a guest

What RADIUS server are you using? You'd need some type of guest functionality on that server to enforce the guest expiration. Session-timeout will only stop the active session.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 13
Registered: ‎03-27-2012

Re: How to set Expiration-time for a guest

Hi Tim, I'm in a project phase and I haven't decided the Radius yet, I'm free to choose what I want. If you can suggest a server with guest functionality it would be good.

Actually I can't figure how session timeout and guest expiration can work togheter... What I need is to create a guest in the radius DB specyfing an expiration date (for example 2015-01-01 07:00pm) and be sure that the user will not be able to login after that time... mmmm thinking at it I'm realizing that the problem can be completely managed internally at the Radius. After 7:00pm the request access is simply rejected! The only thingh left open is how to force the controller to disconnect the user at 7:00pm... maybe by session-timeout?

 

 

Guru Elite
Posts: 7,870
Registered: ‎09-08-2010

Re: How to set Expiration-time for a guest

ClearPass would be the recommended solution.



Your RADIUS server needs a guest database to track expiration time. You can
send back a session timeout that calculates expiration minus now, but that
wouldn't prevent the user from reauthenticating. You need a solution that
can expire accounts.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 13
Registered: ‎03-27-2012

Re: How to set Expiration-time for a guest

Thank you Tim for your really precious advices...

ClearPass was my first thought but we don't have the budget for it:-(

A possible solution could rely on Session Timeout (calclulated as expiration-datetime minus now-datetime as you suggested) passed back with a VSA from RADIUS to Controller AND a local check on the RADIUS that rejects access-requests sent after expiration-time. In other words the RADIUS should be configured to:

a) reject access-requests "outside" the guest account validity interval (before the beginning and after the end)

b) accept access-requests "inside" the guest account validity interval (after the beginning and before the end). In this case the RADIUS calculates the Sessioni-Timeout and instructs the controller to "clear" the sessione accordingly (exaclty at expiration time).

Once the guest user tries to connect againg it's rejected because of a).

Does it make sense to you?

   

Guru Elite
Posts: 7,870
Registered: ‎09-08-2010

Re: How to set Expiration-time for a guest

Yes, although the easier method would be to just set the accounts to disable
after they expire thus causing a reject.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 13
Registered: ‎03-27-2012

Re: How to set Expiration-time for a guest

Good, we can disable or remove from database.

Are you sure that Session-Timeout will force the controller to unconditionally stop the session, regardless its activity state?

A last question: can you confrim me that I can pass back from RADIUS to Controller (via a specific VSA) the Role a guest-user must be assigned to?

Thanks in advance.

 

Guru Elite
Posts: 7,870
Registered: ‎09-08-2010

Re: How to set Expiration-time for a guest

Yes and yes.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 13
Registered: ‎03-27-2012

Re: How to set Expiration-time for a guest

Thank you Tim!

I gave you Kudo.

Regards.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: