Security

Reply

Update radius:ietf session-timeout on MAC auth?

Hey hopefully someone can help me figure this out...Cisco WLAN w/ CPPM Guest.

 

So after a user has authenticated and processed portal, a radius session timeout is sent to the Cisco WLC. All of this works great. Guest account is enabled, not expired.

 

If the user disconnects from the SSID, idle-timeout kicks in on the controller and this user is removed from the WLC. If the user comes back within the account expiry period (i.e. 12 hours), when they re-associate, it hits my [Mac Cache] role where I do a bunch of checks on top of the default ones and what happens is I send an ACK to the controller with the PERMIT ACL but my radius session is 0 so if the user stays connected, they will never see a portal even after the guest account expires. They would need to do a MAC AUTH in order for that to happen (disconnect/reconnect to the SSID).

 

So i thought I would send the following (in a profile) during the MAC Authentication Enforcement Policy

remaining_expiration.PNG

(Tips:Role  EQUALS  [MAC Caching])CDPQ_PUBLIC_ACK, CDPQ_PUBLIC Guest Session Timeout

But I get this error in Access Tracker..

Policy serverFailed to get value for attributes=[RemainingExpiration]

Found this thread but not quite sure how to handle it..

https://community.arubanetworks.com/t5/Security/Policy-server-Failed-to-get-value-for-attributes/m-p/271180

 

I guess I am not 100% sure on how Clearpass handles this behavior when its MAC and Guest interacting with each other...

 

 

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Guru Elite

Re: Update radius:ietf session-timeout on MAC auth?

You'd have to get into some custom SQL as you're trying to compare an endpoint to a user and the Guest User Repository only filters on users by default.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Update radius:ietf session-timeout on MAC auth?

So that's what I am trying to understand.
During a MAC auth, we are looking at the endpoints repository but the value I am attempting to pull comes from the guest user repository..

Unless I create a post authentication entity update where I store that value in some random Endpoint attribute (or create one) and leverage it during mac auth..
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Guru Elite

Re: Update radius:ietf session-timeout on MAC auth?

The post_auth method would probably be the easiest.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Update radius:ietf session-timeout on MAC auth?

I'll think of something...

It's a particular scenario as well which only happens if someone never ever disconnects...
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: