Occasional Contributor II

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Well, i'm back again with the same issue...i don't know if i'm missing something, or the whole thing is so unstable, but i'm back with the same behaviour: can't get mac caching service triggered most of the time...only if i don't apply ALL the timeout profiles, including MAC caching session timeout, it behaves near expected, but the controller says it's a web auth session going on, even  after rebooting the client ...


Does anybody has a detailed document that could be shared to check against my own config??? now i'm doubtful about everything, including controller configuration, clearpass guest selfregistration forms, fields and so on...even how clearpass is managing date and epoch, with timezone different from the reference, is suspicious now to me...

i'm missing something for sure...


Thank you very much in advance,


New Contributor

Re: [HowTo] Auto-Sponsor with Clearpass Guest


I have a problem with SMTP

Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

For the SMTP. I assume you are getting the starttls error. I just answered that on a different thread.


I do have a different issue. All this works great, however if the client resets his connection before the user is confirmed, mac-auth is done and the session-timeout is changed to default. I can set it there to 360 seconds as well, but when a user is confirmed, 360 seconds is not required anymore.

I tried setting an unvalidated role for the user during registration and changing the role when sponsored. However the endpoint keeps the original role id.


Also in the additional settings file the ${GuestUser:do-expire} is used during hte mac-auth. But clearpass does not seem to be able to translate this to the value of do-expire. It just literally set the string ${GuestUser:do-expire} in the endpoint.


I've added screenshots in the file below.


Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

I found a workaround. 


I've edited the Guest User Repository source to include the RemainingExpiration attribute of the user. It is already in the authentication query but not in the authorization query. I name the alias RemainingExpirationAuth.


I then added a few rule in the policy enforcement policy for the MAC auth.

  1. Default mac auth enforcement. 
    Check the insight repository for hours-since-auth, check if the endpoint contains the valid user role, check if the guest account is enabled and not expired. 
    This resulted in a radius allow access enforcement profile that set the reauth timer to 86400.
  2. Check if the endpoint role is unvalidated and if the RemainingExpirationAuth is larger then 300 seconds. 300 seconds are the 5 minutes that were set for the free wifi access.
    This results in the endpoint user role id being updated and a radius allow access enforcement profile that sets the reauth timer to 86400.
  3. Check if the endpoint role is unvalidated. Since I use first applicable the RemainingExpirationAuth will be less then or equal to 300 seconds.
    This results in a radius allow access profile that sets the reauth timer to 360 seconds. 
  4. Check if the endpoint role is set to the validated role but the account is disabled or expired. This results in a radius deny profile and a Set Endpoint Unknown.

Now the user can be disconnected during his 5 minutes of free wifi and reconnect using Mac while remaining on a short reauth timer. And when the user validates his email he will recieve a normal reauth timer in the same service.


There can be some improvements but for me this is working right now.

  1. You can edit the guest user repository authorization query to return the guest role id and use that attribute to set the final role instead of checking the RemainingExpiration field. I would make the service more generic if you have multiple SSIDs.
  2. You can also use the RemainingExpiration field as a value for the short reauth timer. Although you should increase it by 60 seconds as a buffer. This would make it a more generic enforcement profile.

I've added screenshots of my current configuration.


Search Airheads
Showing results for 
Search instead for 
Did you mean: