Security

Reply
Contributor I
Posts: 25
Registered: ‎07-01-2014

MAC Caching with deleted accounts

Hoping someone here has seen this and can tell me what I might be missing.  We are setting up guest users to be granted access immediately (no sponsor approval), but send the sponsor an email with the option to reject the client.  This works and has been accomplished by changing the initial role of the “enabled” field in Forms & Views to 1.   The guest account becomes active while sending the sponsor email (as defined under the Guest Self-Registration).  What I am seeing is that the reject works correctly (CoA Back to the controller), user disconnected and the account is deleted from the guest user repository, but as soon as the client is disconnected, they are able to MAC cache with a deleted account.  Has anyone seen this or know what I need to do to stop this from happening?

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: MAC Caching with deleted accounts

Add a rule at the top of your MAC cache service that uses the Guest-Check authorization source.

 

Guest-MAC-Chec:UserNAME   NOT_EXSISTS              GUEST-REGISTRATION PROFILE


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 25
Registered: ‎07-01-2014

Re: MAC Caching with deleted accounts

Thanks Tim for pointing me in the correct direction.  In the newer version of CPPM, the service auto creates  the  MAC-Guest-Check:UserName EXITS in the enforcement policy, this is what was missing.

Search Airheads
Showing results for 
Search instead for 
Did you mean: