Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Setting Varying Expiration for OnBoard Credentials/Certificates

This thread has been viewed 1 times

  • 1.  Setting Varying Expiration for OnBoard Credentials/Certificates

    Posted May 10, 2013 03:04 PM

    In ClearPass Onboard 3.9 it was possible to setup role based credential expiry  (certificate validity) off of AD attributes.    However, the same settings/return attributes don't seem to work with CPPM 6.x (6.1 in this case).  

     

    Previously it was possible to set a reply Radius attribute (Session-Timeout) with either a value of seconds or an explicit date (for example <?= strtotime(‘2013-12-31 23:59:59’) – time() for December 31, 2013) and have the certificate expiration date be refelcted by this.

     

    I may have overlooked it, but is there a similiar setup/process in 6.x for this functionality?

     

     



  • 2.  RE: Setting Varying Expiration for OnBoard Credentials/Certificates

    EMPLOYEE
    Posted May 10, 2013 04:16 PM

    Clembo,

     

    Return the radius attribute "Session-Timeout" in seconds (in the enforcement profile) in  the Onboard Authorization in CPPM.



  • 3.  RE: Setting Varying Expiration for OnBoard Credentials/Certificates

    Posted May 10, 2013 04:36 PM

    Thanks colin; i am aware of the fact I can put seconds in for Session-Timeout, but the customer requirements are to have the certificates expire at student graduation; so we want an expiration date set for each class of user.  The 3.9 method allowed for this (in reality it used a formula to calculate the right amount of seconds from the date that was entered minus the current time to figure out the right number of seconds); do you know if this is possible in 6.x?

     

    The value in 3.9 was <?= strtotime(‘2013-12-31 23:59:59’) – time() but 6.x won't accept this as a value; only an integer



  • 4.  RE: Setting Varying Expiration for OnBoard Credentials/Certificates

    EMPLOYEE
    Posted May 10, 2013 04:38 PM

    Clembo,

     

    Wouldn't it be great if you could authorize the certificate name against the student account and have it fail when the student account is disabled?  

     

    EDIT:  Just kidding.  You are right, it will not return that argument.

     



  • 5.  RE: Setting Varying Expiration for OnBoard Credentials/Certificates

    Posted May 10, 2013 05:01 PM

    We have that part working Colin.  We have the iPad passing Authentication (EAP-TLS); but failing Authorization against AD (account disabled) and I can deny them.  That is an alternative we have discussed and may have to implement.

     

    They are migrating from 3.9 to 6.x this summer and wanted the same functionality; that's all.   If the answer is no, then so be it; just wanted to be sure the same method is not available in 6.x.

     



  • 6.  RE: Setting Varying Expiration for OnBoard Credentials/Certificates
    Best Answer

    EMPLOYEE
    Posted May 10, 2013 05:04 PM

    Clembo,

     

    No, you cannot include that as an argument.  I will let the powers that be know that.