Security

Reply
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Setting Varying Expiration for OnBoard Credentials/Certificates

In ClearPass Onboard 3.9 it was possible to setup role based credential expiry  (certificate validity) off of AD attributes.    However, the same settings/return attributes don't seem to work with CPPM 6.x (6.1 in this case).  

 

Previously it was possible to set a reply Radius attribute (Session-Timeout) with either a value of seconds or an explicit date (for example <?= strtotime(‘2013-12-31 23:59:59’) – time() for December 31, 2013) and have the certificate expiration date be refelcted by this.

 

I may have overlooked it, but is there a similiar setup/process in 6.x for this functionality?

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

Clembo,

 

Return the radius attribute "Session-Timeout" in seconds (in the enforcement profile) in  the Onboard Authorization in CPPM.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

Thanks colin; i am aware of the fact I can put seconds in for Session-Timeout, but the customer requirements are to have the certificates expire at student graduation; so we want an expiration date set for each class of user.  The 3.9 method allowed for this (in reality it used a formula to calculate the right amount of seconds from the date that was entered minus the current time to figure out the right number of seconds); do you know if this is possible in 6.x?

 

The value in 3.9 was <?= strtotime(‘2013-12-31 23:59:59’) – time() but 6.x won't accept this as a value; only an integer

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

[ Edited ]

Clembo,

 

Wouldn't it be great if you could authorize the certificate name against the student account and have it fail when the student account is disabled?  

 

EDIT:  Just kidding.  You are right, it will not return that argument.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

We have that part working Colin.  We have the iPad passing Authentication (EAP-TLS); but failing Authorization against AD (account disabled) and I can deny them.  That is an alternative we have discussed and may have to implement.

 

They are migrating from 3.9 to 6.x this summer and wanted the same functionality; that's all.   If the answer is no, then so be it; just wanted to be sure the same method is not available in 6.x.

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guru Elite
Posts: 21,279
Registered: ‎03-29-2007

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

Clembo,

 

No, you cannot include that as an argument.  I will let the powers that be know that.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: