Security

I'm trying to add time source so I can look for soon expiring onboard certs and captive portal the users to the re-registration page.

A few concerns...I don't have an authorization tab....I compute my TIPS roles based on certificate source and on my enforcement tab...I have some other logic.  

Can I use time source on the enforcement tab?   Or do I need to use it in the TIPs role mapping...then use that on the enforcement tab later?

I'm worried about adding an authorization tab if I don't need to.

Thanks

Yes, you can use it on the enforcement, but you need to enable authorization. Why are you concerned?


Thanks,
Tim

I guess my concern was all the other authentication sources that are listed too...and now they are in the authorization tab as well.  But looking at it...it won't matter unless I use that authorization data in my enforcement policies...so I guess I'm relaxing more.

 

OK...so I've bit the bullet and I'm good there...I've started working on my policy

I see timesource is returning an epoch date...which I get.

I created a timesource + 300 which is 1453213996 - or Jan 19, 2016

I picked 300 days because I wanted to test a particular user.   I'll bring that 300 days down to something more reasonable.

That's what the clauase in my enforcement ruls look like

(Authorization:[Time Source]:Now Plus 300 days  GREATER_THAN  %{Certificate:Not-Valid-After}).   I'm also matching the username to grab this one client.

 

 

For this auth

Certificate:Not-Valid-After  2015-07-16 21:25:28

I'm not hitting...clearly Jan 2016 is greater than July 2015.   But I'm comparing an Epoch date with a Calendar date.  Do I need to do anything different?