Security

Reply
Occasional Contributor II
Posts: 23
Registered: ‎09-03-2013

Use "time source" in a policy.

I'm trying to add time source so I can look for soon expiring onboard certs and captive portal the users to the re-registration page.

A few concerns...I don't have an authorization tab....I compute my TIPS roles based on certificate source and on my enforcement tab...I have some other logic.  

Can I use time source on the enforcement tab?   Or do I need to use it in the TIPs role mapping...then use that on the enforcement tab later?

I'm worried about adding an authorization tab if I don't need to.


Thanks

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Use

Yes, you can use it on the enforcement, but you need to enable authorization. Why are you concerned?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 23
Registered: ‎09-03-2013

Re: Use

I guess my concern was all the other authentication sources that are listed too...and now they are in the authorization tab as well.  But looking at it...it won't matter unless I use that authorization data in my enforcement policies...so I guess I'm relaxing more.

 

Occasional Contributor II
Posts: 23
Registered: ‎09-03-2013

Re: Use

OK...so I've bit the bullet and I'm good there...I've started working on my policy

I see timesource is returning an epoch date...which I get.

I created a timesource + 300 which is 1453213996 - or Jan 19, 2016

I picked 300 days because I wanted to test a particular user.   I'll bring that 300 days down to something more reasonable.

That's what the clauase in my enforcement ruls look like

(Authorization:[Time Source]:Now Plus 300 days  GREATER_THAN  %{Certificate:Not-Valid-After}).   I'm also matching the username to grab this one client.

 

 

For this auth

Certificate:Not-Valid-After  2015-07-16 21:25:28

I'm not hitting...clearly Jan 2016 is greater than July 2015.   But I'm comparing an Epoch date with a Calendar date.  Do I need to do anything different?

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: