last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Guest Extend Expire Time

  • 1.  ClearPass Guest Extend Expire Time

    Posted Feb 12, 2016 12:37 PM


    My organization wants to extend the expire time for guest accounts by 30 days on each successful login.  This would result in a guest account remaining valid indefinitely as long as it was used within 30 days of last login and would expire if not used in 30 days.


    I have found some examples of similar requests, but most do not have a full solution, and one suggests writing directly the database tables, which I am not excited about. 



    I was hopeful I could accomplish this with an enforcement profile.  There is a ‘ClearPass Entity Update Enforcement’ of:

    Type: Expire-Time-Update
    Name: GuestUser


    Is my goal the intent of this attribute?  If so, can someone assist me with the proper value syntax?


    I have also attempted by creating a dictionary attribute in CPPM for the expire_time field from entity GuestUser and manipulating it via an enforcement profile with no good results. 


    If anyone knows another/better approach to this solution, please direct me.


    Thank you in advance.

  • 2.  RE: ClearPass Guest Extend Expire Time

    Posted Feb 12, 2016 12:40 PM
    Do you want to do this every time the user logs in at the web login or everytime their device re-authenticates to the network (MAC-caching)? 

    Sent from Nine

  • 3.  RE: ClearPass Guest Extend Expire Time

    Posted Feb 12, 2016 02:15 PM

    Preferably both, but if the MAC caching element makes it too complicated, could probably work with allowing MAC caching for a short period of time (day/week) and then advance expire date on next web login.


  • 4.  RE: ClearPass Guest Extend Expire Time

    Posted Feb 12, 2016 02:18 PM
    MAC caching would actually be easier and more user friendly. You can simply add a post auth enforcement profile to the MAC auth that changes the MAC-auth Expiry to "now+30d". 

    Sent from Nine

  • 5.  RE: ClearPass Guest Extend Expire Time

    Posted May 18, 2016 05:14 PM

    I have a group looking for something similar to what is described.  Cappalli suggests using an enforcement profile in the Mac auth to change the "mac-auth expiry" value.  I have attempted to do this without success.  Currently running 6.6x of Clearpass and the only value allowed is an exact date and time for the attribute. Adding "now()+(n)days" does not pass the validation for the attribute.


    error is :

    Value "now()+30 days" must have hh:mm:ss format (e.g., 17:05:55) 


    I am currently using the "Self-Validated" model by Michael Clarke and would like to work this in some how.  Any assistance would be appreciated.



  • 6.  RE: ClearPass Guest Extend Expire Time

    Posted 17 days ago
    I recently worked with TAC to solve this very problem. It is not possible to do this with a simple post-auth enforcement profile utilizing the Expire-Time-Update attribute as I had originally thought, Clearpass will only let you reduce the expire_time with this attribute, not extend it.  However, you can effectively extend the expire_time by performing a SQL query or an internal API call.  We chose the API call route as its a bit more straightforward, you will need to set up an HTTP Context Server Action Dictionary and then reference that in an Enforcement Profile. You will also need to add a Time Source filter that matches the time you want to extend by (Now Plus 30days) and add the Time Source as an authorization source in your service.  In my case I extended expiration by 1 year, here's how i did it:

    1) Create a Time Source filter for the time period you want to extend by
    Configuration -> Authentication -> Sources -> [Time Source] -> Attributes Tab -> Add More Filters
    Filter Query:  SELECT (EXTRACT (EPOCH FROM NOW() + interval '1 years'))::int AS now_plus_1year;
    now_plus_1year  Now Plus 1year  Integer

    2) Create a context server dictionary entry to perform the API action:

    Administration -> Dictionaries -> Context Server Actions -> Add Generic HTTP Context Server
    Action Tab
    Server Name: localhost
    HTTP Method: PATCH
    URL:  /api/guest/username/%{Authentication:Username}
    Header Tab
    accept = */*
    content-type = application/json
    Content Tab
    Content-Type: JSON
      "expire_time": "%{Authorization:[Time Source]:Now Plus 1year}"
    Attributes Tab
    AuthTime = %{Date:Date-Time}

    3) Create an enforcement profile that references this dictionary entry to perform the action.

    Configuration -> Enforcement -> Profiles -> Add HTTP Based Enforcement
    Attributes Tab
    Target Server = localhost
    Action = Extend Expiration

    4) Add enforcement profile to your enforcement policy

    Open your enforcement policy and add the enforcement profile created in step 3.  This will perform the API action and extend the expire_time attribute on the guest user account.

    5)  Ensure that the [Time Source] is added as an Authorization Source on the relevant Service

    This was working for us, every time a user authenticates the enforcement profile is activated the expire_time for that account is extended for 1 year.  This allows for any accounts not used in 1 year to be automatically deleted, while indefinitely extending active accounts.