Security

Reply
Occasional Contributor II
Posts: 12
Registered: ‎02-23-2015

Policy server Failed to get value for attributes=[RemainingExpiration]

Hi,

 

Im getting this alert and its obviously not pulling the value to then send it as the session timeout as per the wizards.

Alerts for this Request  

Policy serverFailed to get value for attributes=[RemainingExpiration]

I have confirmed that the Guest User Repository is under authorisation, and confirmed that attribute is in there as an attribute.

 

Authorization:Sources[Guest User Repository], [Endpoints Repository], [Time Source]

 

Filter NameAttribute NameAlias NameEnabled As 
1.Authenticationsponsor_nameSponsorName-
 remaining_expirationRemainingExpiration-
 expire_timeExpireTime-

 

Im guessing i need to do something in Guest to make it store this attribute??

 

2016-07-06 14:33:15,188[AuthReqThreadPool-16-0x7f17ba1aa700 r=R00000252-01-577ca62b h=42] ERROR ExtDB.DBQuery - ResultSet is empty
2016-07-06 14:33:15,188[AuthReqThreadPool-16-0x7f17ba1aa700 r=R00000252-01-577ca62b h=42] ERROR ExtDB.DBQuery - Failed to get value for attributes=RemainingExpiration]
2016-07-06 14:33:15,189[RequestHandler-1-0x7f17395ea700 h=15466 c=R00000252-01-577ca62b] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Authorization:Guest User Repository]:RemainingExpiration}, error=No values for param=Authorization:Guest User Repository]:RemainingExpiration
2016-07-06 14:33:15,189[RequestHandler-1-0x7f17395ea700 h=15466 c=R00000252-01-577ca62b] ERROR Core.EnfProfileComputer - checkAddAttr: Failed to find finalValue for %{Authorization:Guest User Repository]:RemainingExpiration}
2016-07-06 14:33:15,189[RequestHandler-1-0x7f17395ea700 h=15466 c=R00000252-01-577ca62b] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0

 

TIA

 

Ledge

 

 

 

 

 

 

 

 

 

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Policy server Failed to get value for attributes=[RemainingExpiration]

Please provide screenshots of the service (specifically the tabs using this attribute) and also confirm whether the guest accounts you are matching are enabled and have a value for this field. You should be able to see this under the Manage Accounts section under ClearPass Guest if you click Show Details.

David
ACDX #98 | ACMP | ACCP
Occasional Contributor II
Posts: 12
Registered: ‎02-23-2015

Re: Policy server Failed to get value for attributes=[RemainingExpiration]

[ Edited ]

Hi,

 

 Its created by the wizards. 

 

This is the enforcement action from the Guest User Repository,

Radius:IETFSession-Timeout=

%{Authorization:[Guest User Repository]:RemainingExpiration}

The Guest user does not have the attribute as its only supposed to have "expire time"  and the Source filter in the source "Guest User Repository" calculates this

 

Authenticationsponsor_nameSponsorName-
 remaining_expirationRemainingExpiration-
 expire_timeExpireTime-

But ive worked out the issue is that clearpass is not pulling the attributes at all from the Guest User Repository even though it is selected in the Authorisation tab.

 

Im guessing that Clearpass will not pull authorisaation attributes from a source it didnt authenticate with?  As it seems to get the attributes when doing Webauth against the Guest User Repository, but when its doing MAC-Auth it wont go get the attributes, i assume because its authenticating against the endpoint repository?

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Policy server Failed to get value for attributes=[RemainingExpiration]

I guess this is because the Authorisation attributes on the [Guest User Repository] authentication source do not have RemainingExpiration set-up like the Authentication attributes does:

 

Capture.JPG

 

I would think you would need to amend the Authorisation filter to allow the collection of the remaining_expiration attribute.

 

Alternatively, you could write this value to the Endpoints Repository once the web auth takes place and then look it up from there for future MAC authentications. You may need to add some maths to the lookup though.

David
ACDX #98 | ACMP | ACCP
Occasional Contributor II
Posts: 12
Registered: ‎02-23-2015

Re: Policy server Failed to get value for attributes=[RemainingExpiration]

Thanks, Ill hopefully have some time next week to look at this again.

 

Ill let you know how i go.

Search Airheads
Showing results for 
Search instead for 
Did you mean: