07-17-2014 03:38 PM
Hoping someone here has seen this and can tell me what I might be missing. We are setting up guest users to be granted access immediately (no sponsor approval), but send the sponsor an email with the option to reject the client. This works and has been accomplished by changing the initial role of the “enabled” field in Forms & Views to 1. The guest account becomes active while sending the sponsor email (as defined under the Guest Self-Registration). What I am seeing is that the reject works correctly (CoA Back to the controller), user disconnected and the account is deleted from the guest user repository, but as soon as the client is disconnected, they are able to MAC cache with a deleted account. Has anyone seen this or know what I need to do to stop this from happening?
07-17-2014 04:27 PM
Add a rule at the top of your MAC cache service that uses the Guest-Check authorization source.
Guest-MAC-Chec:UserNAME NOT_EXSISTS GUEST-REGISTRATION PROFILE
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
07-21-2014 12:58 PM
Thanks Tim for pointing me in the correct direction. In the newer version of CPPM, the service auto creates the MAC-Guest-Check:UserName EXITS in the enforcement policy, this is what was missing.