11-14-2013 09:10 AM
Can someone point me to where I can setup a policy in ClearPass that allows any user to connect to a specific Guest SSID, store their MAC and then deletes the record and logs them out at Midnight. The customer has this working on their Amigopd now and I am trying to recreate it in their new ClearPass apppliance. Access to the Amigodpod is limited so I am having to try and do this in my lab.
I can see the auth attempts hitting the ClearPass, but they are being rejected. I believe it's rejecting them because it's trying to find their MAC in the user DB. I need to get around this for starters.
11-14-2013 11:36 AM
I don't recall which version you need for this, but look for Service Templates under Configuration. There's a Service Template for "Guest MAC Authentication". Fill out all of the information and it will create the service automatically for you.
In ClearPass Guest:
Go to Configuration > Guest Self-Registration
Add the field "modify_expire_time" to your guest self-registration page. Modify the field and set the Initial Value to "tomorrow 00:00".
Go to Configuration > Guest Manager
Set the Expire Action to delete and logout at specified time.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
11-18-2013 09:27 AM
Thanks for the responses. Sorry for the delay in answering your replies. So far I have been able to get the authentication working, but have a couple more small hurdles to cross. Since they have an open guest network, they don't use the guest self registration form, just a captive portal that sends a generic user/password to the CPPM when they click accept. The piece I am missing now is after the timee expires on the generic user account it will not allow you to reauthenticate and reset the timer on the account. I'm sure this is something minor I am missing.
11-18-2013 09:29 AM
One more note. I mentioned in the original post that I wanted it to delete the record at midnight. I got ahead of myseld there. I need it to keep a generic shared guest account, but delete the cached MAC addresses if possible. Sorry for not stating this more clearly, I was hurrying through too many things.
11-18-2013 11:01 AM
You should be able to do this with some programming but easiest way is to use insight database and just use hours_since_auth in your enforcement policy. So if user hits accept they have acces for 12 hours.