Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

modify expire_time with first login

This thread has been viewed 0 times

  • 1.  modify expire_time with first login

    Posted Jun 30, 2015 11:02 AM

    Having trouble with the following requirement:

     

    A Guest Account should get disabled after 14 days if it is not used.

    The Life time options are 1, 2, 3, 4, 5 days.

     

    The service is based on the "Guest Authentication with MAC Caching" template.

     

    If guest logs in durcing the first days with "5 day account" the expire_time gets modified to today +5 days which is perfectly fine

    BUT

    If guest  logs in on the 13th day (of this 14 day period) with "5 day account" the expire_time remains the original value which was set during creation. Which means it gets not updated and guest can use his account just 1 day.

    My Customer would like to see the expire time get enhanced automatically in this case.

     

    To be honest, i do not get why it is not getting updated altough the Access Tracker states that.

     

    Does anyone have an idea or solution for this requirement?

     

    best regards

    Kevin



  • 2.  RE: modify expire_time with first login

    Posted Jul 01, 2015 05:16 AM

    Interresting usecase, but I don't see why you are asked to complicate it that much. It sounds like a nightmare to administer to be honest ;) We usually have pre-made accounts with a set life-time that doesn't expire so the concierge just have a set he can hand out whenever and they last X days from first login..

     

    But OK... You create the account with an expiration of 14 days, but life-time set to 5 days using the default mechanics of Clearpass Guest. As you've described this works OK.

     

    So - to achieve what you need I'm thinking you will have to create your own version of this functionality that triggers on first login. The new expire_time is set according to the role "Guest-x-days".

     

    When creating the guestuser you enter 14 days as expiration, but not any lifetime. Set the role to be equal to the duration you want it to have (guest-x-days). During first webauth you then enforce a new expire_time according to the role with a NOW+x days. Also set a custom field on the guestuser like "activated = true" and test for this field before doing the +days to make sure that it doesn't trigger again for the same account when the user logs in with a second/third device. You will also have to test the original expire_time against NOW to see if it's less that x days remaining of the 14 days expiration

     

    Might be an easier way to do this, but I can't think of one.