Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎07-17-2014

Guest User Re-Authentication Issue

Hi,

 

We created a guest SSID with Captive Portal and Self Registration page.

We set the expiry date on Guest accounts to 100 days via the Guest Manager and Register Page

on Self Registration.

A Guest MAC authentication service was created to remember guests once they leave the network

and then return to the network.

This worked for a number of hours following the changes that day.

 

However guest users returned to the network the following day, they had to re-authenticate via Captive Portal again.

 

The only thing which we think may be the issue is the Re-authentication Interval set in the SSID, it is currently 6 hours.

 

What do we need to change to have to guest users re-authenticate after 100 days instead of 6 hours for example?

 

Thanks in advance.

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Guest User Re-Authentication Issue

[ Edited ]

Please see below (alternatively, use the service templates as mentioned in the beginning of this article).

 

This article describes an alternative MAC Caching service for Clearpass. Although the MAC Caching Service created by the service templates works fine, some find it difficult to comprehend and do not want to depend on Insight as authorization source.

 

The MAC Caching service discussed here does not use Insight as authorization source. Instead, it makes use of an Endpoint attribute containing the MAC expiry date. This attribute is checked against the authentication date. If the authentication date is before the Expiry date then access is granted, otherwise denied (or redirected to a captive portal).

 

In this article we assume two types of users for which MAC caching is enabled:

  • Guests: users defined in, and authenticated against the Guest User Database and have the role [Guest]. The MAC Expiry will be set to the Guest Account Expiry
  • Employees: defined in, and authenticated against an external database, like Active Directory and have the role [Employee]. The MAC expiry will be set to a fixed interval, for example 6 Months.

The flow will be discussed in 'reverse order' and not in the configuation order. At the end of this article, the steps will be listed in the right order

 

Description

 

This service makes use of an Endpoint attribute holding the MAC Cach expiry date.

Because this solution uses Endpoint attributes, care should be taken when using this solution with other systems updating Endpoint attributes. An API call to update an Endpoint attribute may not take into account existing Endpoint attributes. And example is MDM systems updating Endpoint objects.

 

MAC Authentication Policy

 

The policy will simply look like this:

BvZ MAC Caching Policy.png

The Policy will only allow authentications which have the role [MAC Caching].

If MAC Caching is applied, different enforcement profiles are used depending on the role. In the example above, an employee will have the aruba user-role 'MAC-Staff' applied and guest will have the aruba-user-role 'MAC-Guest' applied. This can be entirely customised accodrding the customer's policy and equipment.

The default profile is [Deny Access Profile] in the above example. Alternatively, the default profile can be set to an enforcemnt profile which enforces a captive portal. For Aruba controllers this can be achieved by returning an aruba-user-role='guest-logon' for example.

  Role Mapping policy

BvZ MAC Caching RoleMapping.png

 

As you can see, the Role Mapping uses a couple of new atributes to determine if the role [MAC Caching] is assigned.

  Endpoint Attribute

%{Endpoint:MAC-Auth Expiry} is a new attribute defined in the Endpoint. Goto Administration -> Dictionaries - Attributes and add an Endpoint attribute as below:

BvZ MAC Caching EndpointAttr.png

This attribute is updated by a Post Authentication Enforcement Policy in the Policy of the Web Login Service.

  Post Authentication Enforcement Profiles

For Guests, the MAC Expiry will be set to the same value as the Guest Account Expiry:

BvZ MAC Caching -GuestEnf.png

 

Note that 'ExpireTime' needs to be added to the the [Guest User Repository]. More about that later.

For Employees, authenticating against another auth source, the account expiry is not available. Therefore the MAC Expiry will be set to a fixed interval determined by the customer's security policy. In this example, the customer has decided that MAC addresses for employees are allowed to be cached 6 months after the Web Login.

BvZ MAC Caching EmployeeEnf.png

 

In the above example, the MAC Expiry is set to a fixed interval after the Web login authentication time. See hereafter.

  Authentication/Authorization Sources

%{Authorization:[Time Source]:Today} is a new attribute defined in the Authentication Source [Tme Source].

BvZ MAC Caching TimeSource1.png

The attribute Today is defined as:

Bvz MAC Caching TimeSource2.png

The SQL: select localtimestamp(0) as today;

The attribute ' Six Months From Now' is defined as:

BvZ MAC Caching TimeSource3.png

The SQL: select localtimestamp(0) + interval '6 months' as sixmonths;

You can define other intervals as you wish by changing the interval in the SQL Query. For example if you want to set the MAC Auth Expiry to 7 days, the SQL query will be like:

select localtimestamp(0) + interval '7 days' as sevendays;

Next map the 'sevendays' to the Alias "Seven Days From Now" for example.

 

As mentioned earlier, the Guest User Acount Expiry time needs to be made avaiable from the [Guest User Repository]:

Add the highlighted string (expire_time::timestamp) to the existing Authentication query and map this to Alias ExpireTime as shown below:

BvZ MAC Caching GuestRepository.png

  Putting it all together

 

  • Add the Endpoint attribute MAC-Auth Expiry
  • Add the ExpireTime attribute to the authentication source [Guest User Repository]
  • Add the attributes today and a fixed interval attribute to the Authentication source [Time Source]
  • In the existing Web Login Service, add the post authentication enforment to update the Endpoint attribute MAC-Auth Expiry
  • In the existing Web Login Service, add [Time Source] as an authorization source. You can remove [Insight] as authorization source
  • Create the MAC Athentication policy:

BvZ MAC Caching Service.png

  • Ensure the Authentication source [Time Source] is added as an authorization source
Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 48
Registered: ‎05-14-2012

Re: Guest User Re-Authentication Issue

The links for the images don't work.

New Contributor
Posts: 4
Registered: ‎07-17-2014

Re: Guest User Re-Authentication Issue

We created a Guest MAC authentication service in addition to the existing 2 services for PreAuthentication for Captive Portal and for Post Authentication.

 

The 2 aboves services take effect first then one aguest user leaves the network, they don't need to re-register and their phone simply reconnects by authenticating the MAC address which has already been added to Endpoint database on ClearPass.

Contributor I
Posts: 26
Registered: ‎10-07-2014

Re: Guest User Re-Authentication Issue

Interesting MAC caching option!

The links to the images are not working (permission denied).

Could you provide another way to see the images?

Thank you

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Guest User Re-Authentication Issue

If you cannot see the images above, see this attachment...

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: