Security

last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Seting up a MAC policy to allow any user and disable at a specifc time

This thread has been viewed 0 times

  • 1.  Seting up a MAC policy to allow any user and disable at a specifc time

    Posted Nov 14, 2013 12:10 PM

    Can someone point me to where I can setup a policy in ClearPass that allows any user to connect to a specific Guest SSID, store their MAC and then deletes the record and logs them out at Midnight. The customer has this working on their Amigopd now and I am trying to recreate it in their new ClearPass apppliance. Access to the Amigodpod is limited so I am having to try and do this in my lab.

     

    I can see the auth attempts hitting the ClearPass, but they are being rejected. I believe it's rejecting them because it's trying to find their MAC in the user DB. I need to get around this for starters.



  • 2.  RE: Seting up a MAC policy to allow any user and disable at a specifc time

    Posted Nov 14, 2013 02:33 PM
    So what do you want to do with the device on day2 when they return? Or are you trying to get a captive portal setup?


  • 3.  RE: Seting up a MAC policy to allow any user and disable at a specifc time

    Posted Nov 18, 2013 12:28 PM

    Hello,

     

    Thanks for the responses. Sorry for the delay in answering your replies. So far I have been able to get the authentication working, but have a couple more small hurdles to cross. Since they have an open guest network, they don't use the guest self registration form, just a captive portal that sends a generic user/password to the CPPM when they click accept. The piece I am missing now is after the timee expires on the generic user account it will not allow you to reauthenticate and reset the timer on the account. I'm sure this is something minor I am missing.



  • 4.  RE: Seting up a MAC policy to allow any user and disable at a specifc time

    Posted Nov 14, 2013 02:37 PM

    In CPPM:

     

    I don't recall which version you need for this, but look for Service Templates under Configuration.  There's a Service Template for "Guest MAC Authentication".  Fill out all of the information and it will create the service automatically for you.

     

    In ClearPass Guest:

     

    Go to Configuration > Guest Self-Registration

    Add the field "modify_expire_time" to your guest self-registration page.  Modify the field and set the Initial Value to "tomorrow 00:00".

     

    Go to Configuration > Guest Manager

    Set the Expire Action to delete and logout at specified time.



  • 5.  RE: Seting up a MAC policy to allow any user and disable at a specifc time

    Posted Nov 18, 2013 12:30 PM

    One more note. I mentioned in the original post that I wanted it to delete the record at midnight. I got ahead of myseld there. I need it to  keep a generic shared guest account, but delete the cached MAC addresses if possible. Sorry for not stating this more clearly, I was hurrying through too many things.



  • 6.  RE: Seting up a MAC policy to allow any user and disable at a specifc time

    Posted Nov 18, 2013 02:01 PM
    Just set the generic account to expire in 30 years.

    You should be able to do this with some programming but easiest way is to use insight database and just use hours_since_auth in your enforcement policy. So if user hits accept they have acces for 12 hours.