Security

Hi,

 

My customer is using CPPM 6.3 for Mac authentication. Here is the requirement:

 

An endpoint is allowed access before end of year say Dec 31, before that the Endpoint is valid. After that date, the endpoint is invalid and the user has to register the endpoint again.

 

I checked the endpoint database on CPPM, there is NO way to set a field for expire date, any idea?

 

Thanks,

Patrick

 

How are they registuring the device? 

 

If its done with Mactrac, deivce rigisture then you can put a expire date on the deivce. if its just goes through a service you can use the known vs unknown to put a restriction on the device to force it to a page or deny access.

Thanks Troy.

 

What is Mactrac?

 

They just use a page to authenticate against AD, then in the service I mark the endpoint as KNOWN.

 

But as you know in the endpoint DB there is no field called expire date.

 

Or is there an auto way (script or something) to flush all endpoint entries at Dec 31 (although this is not a perfect solution)?

 

They don't have Guest or Onboard license.

 

Regards,

Peiyong

 

I will have to see what is the most efficient way of doing it, but if they are marking the device known when it is registered then you should be able to use that. 

 

Let me dig around for a day and see what we can come up with. I threw it out to the other Clearpass SEs to see what they also come up with and pick the most efficient way. 

Thanks Troy.

 

Awaiting your best solution!

 

Regards,

Patrick

 

 

One quick question.

Are you using a web login page or a modified self service portal to register the devices

We just use the web login page to register user's MAC.

 

Cheers,

Patrick

 

So you do have multiple options here. The easiest one depends on if they have certain users that register the device or if the users do their own. 

 

If it’s Staff or even personal you can create a Self service account on CPGuest to allow the users to manage the devices they have registered. You can hard code an expiration date in the portal and it gives them the option if they loose/change a device they could delete their old one and add a new one.

 

Here is a quick example. You can add and remove the fields you want.

 

 

 

The other option is to create a self-service portal page where you can add the device and put an expiration to the device.

 

The last one would be a little bit more complicated but you could do a custom SQL and put in an attribute of the expiration date. 

 

I’m sure there are a couple more but I wanted to give you some options to start with

Hi Troy,

 

First, the customer does NOT have Guest license. I understand you don't need Guest license to do MACTrac, but can you use this device list DB to do MAC Auth?

 

I would like to know what Custom SQL needed to put a 'expire' field to Endpoint DB, because the only way we can see the student's device is when they associate with an open SSID and land on a web page. Then they put in theire AD credential and CPPM mark the Endpoint as 'known'. Then the Endpoint DB will be used for the MAC Auth when the student associates next time.

 

Regards,

Patrick

 

Yes you can use the list for mac auth.

I'm not a SQL expert so someone will have to put together the SQL query for me and then I can pass it off. I just don't know how long it will take.

I will let you know when I get it.

So if I don't want the student to be the MACTrac operator, how do I capture their MAC and put into this Device list?

 

Some screen captures might be helpful, thanks Troy.

 

Patrick

It would be best if you work with your local SE since there are a lot of things you will need to set. Ill see if I can remember all the steps.

 

You network admins should by default should already have access. 

 

1. If you go to Forms and Views and scroll down there should be one named mactrac_create. Personally I like to make a copy of the original so i have backup to go back to.

 

 

 

 

2. You can click edit and add or remove fields and one field you will need to add is the expire_time and set that to the end of the year. You can remove the other fields you dont want including the Airgroup.

 

 

 

3. Then you can click on the use and you will see the following page.

 

 

 

4. What I do is put the link to the page somewhere they can remember it. Like on one of the internal Admin help pages or a weblogin.

 

 

5. You can create a custom operator profile to assign the main page to. I don’t remember off the top of my head and I don’t have fresh 6.3 Install to look at but it might be already created. You will just need to reference it.

 

 

Hopefully I didnt miss anything but that should get you started. :)

Thanks Troy.

 

So your idea is to land a user to a page to put in username/password. After authentication they need to register the MAC manually on the operator page. Right?

 

But my requirment is to land a user on a page to put in username/password, in the mean time, the page will capture the MAC automatically (say the NAD can send the MAC in the redirect request) and put it in the device DB with an expire_time. Can it be done?

 

Regards,

Patrick

 

 

 

Patrick...Were you able to get this done as you described? I have a similar requirement where we want to allow the user to authenticate to a captive portal page against our AD. 

 

As I currently have it working the user authenticates and an endpoint is created. The missing part is the expiration of the endpoint. I would like for the endpoint to expire after 24 hours so that the user is forced to the captive portal page again...

 

We are also deploying a dotx network and the hope is that most of our users will use Quickconnect to connect to it.

 

While I would like for the endpoint to expire if registered via the captive portal, I would prefer it not to expire when coming from the dotx network. Does this sound possible?

Yes I made it but it is not the endpoint DB because there is no Expiration field in the endpoint DB.

 

It is in the Guest DB under the device list. That's the only place that I can think of to put an expiration date in.

 

Regards,

Patrick

 

 

Did you ever get this working?

 

We are doing the same thing. Students land on a captive portal page, authenticate against LDAP and are then marked as known clients.

 

But now, need to expire these endpoints at the end of school semester. One option is to blow the whole endpoint DB so we start fresh, but looking for something less drastic.

 

For Guests and offline devices, we use the guest module, which has it's own expiration. Offline devices last until the end of the semester and Guests 24 hours.

 

TIA.

Have you considered using the guest device repository? This provides
self-registration of devices, role-based access, role-based expiration,
customized registration portal and full self-service.

Have 12000 devices, only 500 guest licenses...

The guest device repository does not consume guest licenses.

OHHH! Thank you! So confused here then. I thought it required a license so that's why we were using captive portal and mac auth. We saved guest licenses for offline device registrations and true guests.

Yes guest device won't consume Guest License.

 

It works like this:

 

1) First time: Landing page to authenticate against AD--->Next page with T&C with OK button to register MAC to Guest Device DB with Expiration date--->COA to change use role

 

2) Second time onwards: MAC authentication directly put device into correct role

 

3) Expiration date (Term end): flush all devices in Guest Device DB automatically

 

4) After expiration date: go back to 1)