This isn't a direct answer, but should give you some pointers.
Historically the guest's expiry time was recorded in the associated device's Endpoint repository (MAC-Auth Expiry attribute - I believe Ben Van Zeggelaar came up with this solution back in 2013), along with the Username and Guest Role ID attributes, at registration time. A limitation of this approach is that subsequent changes in the guest's expiry time are not reflected in the Endpoint.
To address this I have taken a different approach. I still record the Username and Guest Role ID in the Endpoint but directly reference the guest's expiry time. To achieve this I've created a new [Guest User Repository] Attribute filter. The key thing is the SQL that extracts the guest's expiry time based on the Connection:Client-Mac-Address-NoDelim value - this is "normalized" to the correct format for the PostgreSQL database (I realise this should be Username but I can't guarantee this will be in the correct format):
SELECT CASE WHEN expire_time>now() THEN CAST(EXTRACT(epoch FROM (expire_time-NOW())) AS INTEGER)
ELSE 0
END AS remaining_expiration, expire_time::timestamp,
attributes->>'Role ID' AS role_id
FROM tips_guest_users
WHERE ((guest_type='USER') AND (user_id='%{Connection:Client-Mac-Address-NoDelim}') AND (app_name!='Onboard'))
The returned attributes are exposed in ClearPass in the following manner:
SQL Value
|
ClearPass attribute name
|
Data Type
|
remaining_expiration
|
MAC_ExpiresIn
|
Integer64
|
expire_time
|
MAC_ExpireTime
|
DateTime
|
role_id
|
MAC_RoleID
|
Integer
|
Within the Guest MAC-Auth service I can then add the [Guest User Repostory] as an Authorization Source (this should already be there). Within the RoleMapping I can build a condition that verifies whether this device's associated guest has expired:
(Endpoint:Guest Role ID EQUALS 251) AND (Authorization:[Time Source]:Now LESS_THAN %{Authorization:[Guest User Repository]:MAC_ExpireTime})
------------------------------
Derin Mellor
------------------------------
Original Message:
Sent: Jul 17, 2021 05:08 PM
From: Philip Wightman
Subject: Clearpass - Adjust Expire time
Seems this topic has been covered a lot but I have not found a solution to this scenario...
Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?
Normal flow:
- Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value.
- Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role Not the Guest Database ExpireTime)
Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.
How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.
------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------