Security

Reply
Occasional Contributor II
Posts: 13
Registered: ‎03-02-2012

modify expire_time with first login

Having trouble with the following requirement:

 

A Guest Account should get disabled after 14 days if it is not used.

The Life time options are 1, 2, 3, 4, 5 days.

 

The service is based on the "Guest Authentication with MAC Caching" template.

 

If guest logs in durcing the first days with "5 day account" the expire_time gets modified to today +5 days which is perfectly fine

BUT

If guest  logs in on the 13th day (of this 14 day period) with "5 day account" the expire_time remains the original value which was set during creation. Which means it gets not updated and guest can use his account just 1 day.

My Customer would like to see the expire time get enhanced automatically in this case.

 

To be honest, i do not get why it is not getting updated altough the Access Tracker states that.

 

Does anyone have an idea or solution for this requirement?

 

best regards

Kevin

MVP
Posts: 520
Registered: ‎05-11-2011

Re: modify expire_time with first login

Interresting usecase, but I don't see why you are asked to complicate it that much. It sounds like a nightmare to administer to be honest ;) We usually have pre-made accounts with a set life-time that doesn't expire so the concierge just have a set he can hand out whenever and they last X days from first login..

 

But OK... You create the account with an expiration of 14 days, but life-time set to 5 days using the default mechanics of Clearpass Guest. As you've described this works OK.

 

So - to achieve what you need I'm thinking you will have to create your own version of this functionality that triggers on first login. The new expire_time is set according to the role "Guest-x-days".

 

When creating the guestuser you enter 14 days as expiration, but not any lifetime. Set the role to be equal to the duration you want it to have (guest-x-days). During first webauth you then enforce a new expire_time according to the role with a NOW+x days. Also set a custom field on the guestuser like "activated = true" and test for this field before doing the +days to make sure that it doesn't trigger again for the same account when the user logs in with a second/third device. You will also have to test the original expire_time against NOW to see if it's less that x days remaining of the 14 days expiration

 

Might be an easier way to do this, but I can't think of one.

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: