Security

Reply
Contributor II
Posts: 50
Registered: ‎04-13-2009

Seting up a MAC policy to allow any user and disable at a specifc time

Can someone point me to where I can setup a policy in ClearPass that allows any user to connect to a specific Guest SSID, store their MAC and then deletes the record and logs them out at Midnight. The customer has this working on their Amigopd now and I am trying to recreate it in their new ClearPass apppliance. Access to the Amigodpod is limited so I am having to try and do this in my lab.

 

I can see the auth attempts hitting the ClearPass, but they are being rejected. I believe it's rejecting them because it's trying to find their MAC in the user DB. I need to get around this for starters.

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Seting up a MAC policy to allow any user and disable at a specifc time

So what do you want to do with the device on day2 when they return? Or are you trying to get a captive portal setup?
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Seting up a MAC policy to allow any user and disable at a specifc time

In CPPM:

 

I don't recall which version you need for this, but look for Service Templates under Configuration.  There's a Service Template for "Guest MAC Authentication".  Fill out all of the information and it will create the service automatically for you.

 

In ClearPass Guest:

 

Go to Configuration > Guest Self-Registration

Add the field "modify_expire_time" to your guest self-registration page.  Modify the field and set the Initial Value to "tomorrow 00:00".

 

Go to Configuration > Guest Manager

Set the Expire Action to delete and logout at specified time.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Contributor II
Posts: 50
Registered: ‎04-13-2009

Re: Seting up a MAC policy to allow any user and disable at a specifc time

Hello,

 

Thanks for the responses. Sorry for the delay in answering your replies. So far I have been able to get the authentication working, but have a couple more small hurdles to cross. Since they have an open guest network, they don't use the guest self registration form, just a captive portal that sends a generic user/password to the CPPM when they click accept. The piece I am missing now is after the timee expires on the generic user account it will not allow you to reauthenticate and reset the timer on the account. I'm sure this is something minor I am missing.

Contributor II
Posts: 50
Registered: ‎04-13-2009

Re: Seting up a MAC policy to allow any user and disable at a specifc time

One more note. I mentioned in the original post that I wanted it to delete the record at midnight. I got ahead of myseld there. I need it to  keep a generic shared guest account, but delete the cached MAC addresses if possible. Sorry for not stating this more clearly, I was hurrying through too many things.

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Seting up a MAC policy to allow any user and disable at a specifc time

Just set the generic account to expire in 30 years.

You should be able to do this with some programming but easiest way is to use insight database and just use hours_since_auth in your enforcement policy. So if user hits accept they have acces for 12 hours.
Search Airheads
Showing results for 
Search instead for 
Did you mean: