Two 'problems'.. kudos oppertunities rather :P
Usualy MAC-AUTH duration is decided by the role a guest user has together with a simple Authorization:[Insight Repository]:Days-Since-Auth and a static duration.
- Now a customer requires the MAC-AUTH duration to be what the receptionist sets guest accounts expiration date. Basically if the guest account expires in 180 days the MAC-AUTH should be valid for as long too. This guest account expiration can be anything from a day to a year.
Seems a fair question right? So how can I accomplish this?
Can I somehow create a query that checks if the guest-user is still active before allowing the device access?
Or can I somehow use the guest account expirationd ate as a variable and tie that into the "Authorization:[Insight Repository]:Days-Since-Auth" bit somehow?
That MAC-Guest-Check query already seems to have some expiration handling.. is this the guest user or the guest device expiration?
- Somewhat related.. we also need to enable MAC-AUTH for AD authenticated captive portal users. The 'difficulty' (I'm still hoping I'm missing something obvious here) is that those MAC-AUTH need to expire on a set date (next 1 september) rather then after a certain time.
I'm fairly confident this should be doable with some custom sql.. now I just need someone who's confident with clearpass sql :)