Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass rolling expiry timers

  • 1.  Clearpass rolling expiry timers

    Posted Feb 03, 2014 10:04 AM

    Hello everybody.

     

    I'm probably being a bit lazy, but I suspect somebody knows where the info is for this...

     

    Assume a scenario, where I want to update a guest user/device expiry timer each time they re-connect. I.e. A guest connects and is approved/authenticated. We're doing mac-caching too by the way. They initially get created with 1 month's access. I'm good with this setup (I.e. I know how to do it). Normally, the account lasts a month obviously.

     

    So, as an extension, assume that 5 days later, the user/device reconnects and is mac-auth'd. At that point, what I want to do, is reset their account to 1 month again. In other words, as long as they use the device within that 1 month, it keeps updating to have another month into the future. If they don't connect during the month, obviously the accounts (user and device) age out as normal.

     

    Has anybody done this? I'm expecting it to be achievable by way of an enforcement profile? Just unsure what the variables and syntax should be?

     



  • 2.  RE: Clearpass rolling expiry timers

    Posted Feb 03, 2014 10:36 AM

    I have done a deployment recently where the customer wanted the expiry time of the guest accounts to be automatically updated each time the user logged in (for example: expire time = current-time + 90 days)

     

    This involved having to define a custom authentication source where we would execute a SQL UPDATE query to the local database in ClearPass.

     

    This solution is a bit hackerish and is probably not supported by Aruba :). If you want I can share these SQL queries.

     

    Also, for MAC-caching we are binding an endpoint directly to the guest account; we have also made some custom SQL queries for this cause since ClearPass does not do this out-of-the-box.



  • 3.  RE: Clearpass rolling expiry timers

    Posted Feb 03, 2014 01:50 PM

    From what you've written, am I right in thinking you achieved all this within the Clearpass setup? I.e. you didn't need another external component/server/database for the SQL part?

     

    I'd be interested to see how you did it yes please. Note I'm not an SQL guru by any means!

     

    Not so worried about the support of it officially, I can bridge this gap if needed. ;-)

     

    Thanks.



  • 4.  RE: Clearpass rolling expiry timers

    Posted Feb 03, 2014 05:31 PM
      |   view attached

    Big warning on using SQL queries in your config: the database schema CAN CHANGE. If ClearPass ships updates these SQL queries might break. Use at your own risk.

     

    Database schema, remote access

    You can access the ClearPass database with the "appexternal" account (you can set this password under "cluster wide parameters" in the server configuration). Then use a program like pgAdmin (postgres admin) to create a connection.

     

    MAC caching: bind guest user to endpoint

    If you want to use MAC caching and bind the endpoint directly to the guest account follow these steps. This means when the guest account is disabled or expired, the MAC authentication will fail as well.

     

    1) Create new Authentication Source, Name = MAC_caching, Type = Generic SQL DB, Server = localhost, database = tipsdb, login = appadmin, driver = postgres

    2) Add new filter in authentication source:

    - Filter name: Authentication

    - Filter query:

     

    SELECT mac_address AS User_Password,
    CASE WHEN tips_guest_users.enabled = FALSE THEN 225
    WHEN ((tips_guest_users.start_time > now()) OR ((tips_guest_users.expire_time is not null) AND (tips_guest_users.expire_time <= now()))) THEN 226
    WHEN tips_guest_users.approval_status != 'Approved' THEN 227
    ELSE 0
    END AS Account_Status, tips_guest_users.sponsor_name,
    CAST(EXTRACT(epoch FROM (tips_guest_users.expire_time - NOW())) AS INTEGER) AS remaining_expiration
    FROM tips_endpoints_attr_view INNER JOIN tips_guest_users ON tips_endpoints_attr_view.tag_value=tips_guest_users.user_id
    WHERE tips_endpoints_attr_view.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}')

     

    Attributes:

    - Name: remaining_expiration

    - Alias: remaining_expiration

    - Data type: Integer

     

    3) Create a MAC authenitcation service where the above authentication source is used as the authentication source

    4) In the enforcement policy you can have a generic accept policy (like day of the week), make sure you have a enforcement profile in place that will return remaining_expiration in the RADIUS - IETF - Session-Timeout attribute. Use %{Authentication:MAC_cache:remaining_expiration} as the value for this.

    5) For the captive portal service make sure you have a post_authentication enforcement profile in place which will update the endpoint with the guest username during captive portal login

     

    Dynamic expire time update

    If you want to update the expire-time during each login you can do this by creating a new authentication source (same method as described above). Use this authentication source as an authorization source in your service. See attached screenshot for the setings. SQL queries for this:

     

    SELECT NOW() + INTERVAL '90 days' as new_expire_time;
    update tips_guest_users set expire_time = NOW() + INTERVAL '90 days' where user_id = '%{Authentication:Username}'

     

    Please note above will update the expire time based on the username, this will only work if you know the username during authentication (thus for captive portal login or 802.1X).

     

    If you want to update the expire time based on the related MAC adres you can use this query:

     

    UPDATE tips_guest_users SET expire_time = NOW() + INTERVAL '90 days'
    FROM tips_endpoints_attr_view WHERE tips_endpoints_attr_view.tag_value=tips_guest_users.user_id AND tips_endpoints_attr_view.mac_address = LOWER('%{Connection:Client-Mac-Address-NoDelim}');

     



  • 5.  RE: Clearpass rolling expiry timers

    Posted Feb 04, 2014 02:54 AM

    Very interesting. I'll give it a try when rolling out. Thanks for the tips.

     

    I won't ask for a deep techy dive on this, I'll drive it past by SQL guys to see if they can explain it to me!

     

    Thanks again.



  • 6.  RE: Clearpass rolling expiry timers

    Posted 17 days ago
    I recently worked with TAC to solve this very problem. It is not possible to do this with a simple post-auth enforcement profile utilizing the Expire-Time-Update attribute as I had originally thought, Clearpass will only let you reduce the expire_time with this attribute, not extend it.  However, you can effectively extend the expire_time by performing a SQL query or an internal API call.  We chose the API call route as its a bit more straightforward, you will need to set up an HTTP Context Server Action Dictionary and then reference that in an Enforcement Profile.  You will also need to add a Time Source filter that matches the time you want to extend by (Now Plus 30days) and add the Time Source as an authorization source in your service.  In my case I extended expiration by 1 year, here's how i did it:


    1) Create a Time Source filter for the time period you want to extend by
    Configuration -> Authentication -> Sources -> [Time Source] -> Attributes Tab -> Add More Filters
    Filter Query:  SELECT (EXTRACT (EPOCH FROM NOW() + interval '1 years'))::int AS now_plus_1year;
    now_plus_1year  Now Plus 1year  Integer


    2) Create a context server dictionary entry to perform the API action:

    Administration -> Dictionaries -> Context Server Actions -> Add Generic HTTP Context Server
    Action Tab
    Server Name: localhost
    HTTP Method: PATCH
    URL:  /api/guest/username/%{Authentication:Username}
    Header Tab
    accept = */*
    content-type = application/json
    Content Tab
    Content-Type: JSON
    Content:  
    {
      "expire_time": "%{Authorization:[Time Source]:Now Plus 1year}"
    }
    Attributes Tab
    AuthTime = %{Date:Date-Time}



    3) Create an enforcement profile that references this dictionary entry to perform the action.

    Configuration -> Enforcement -> Profiles -> Add HTTP Based Enforcement
    Attributes Tab
    Target Server = localhost
    Action = Extend Expiration



    4) Add enforcement profile to your enforcement policy

    Open your enforcement policy and add the enforcement profile created in step 3.  This will perform the API action and extend the expire_time attribute on the guest user account.



    5)  Ensure that the [Time Source] is added as an Authorization Source on the relevant Service



    This was working for us, every time a user authenticates the enforcement profile is activated the expire_time for that account is extended for 1 year.  This allows for any accounts not used in 1 year to be automatically deleted, while indefinitely extending active accounts.