Security

Seems this topic has been covered a lot but I have not found a solution to this scenario...

Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?

Normal flow:

- Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value. 
- Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role  Not the Guest Database ExpireTime)

Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.

How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Did you try with

Authorization;[Guest User Repository]ExpireTime

attribute?

Best, Gorazd

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Jul 17, 2021 05:08 PM
From: Philip Wightman
Subject: Clearpass - Adjust Expire time

Seems this topic has been covered a lot but I have not found a solution to this scenario...

Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?

Normal flow:

- Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value. 
- Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role  Not the Guest Database ExpireTime)

Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.

How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Thanks for the tips guys!

MHolden - Yes, we use the Device Registration Disconnect for actual device registrations. This works great to CoA the MAC Address after the change is made. But the root issue is still the same. When the Guest reconnects after CoA, it uses the MAC Cache service (We dont want to pop the captive portal again). The MAC Cache service is unable to pull the ExpireTime from the Guest User repository. Without this Attribute, Clearpass cannot use it to make a policy decision or enforcement.

Gorazd - Same as above, the MAC Cache Service is not pulling back the ExpireTime attribute. 

Note that the Guest User repository is configured on the MAC Cache service but only AccountEnabled and AccountExpired are pulled back.
 





------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Original Message:
Sent: Jul 18, 2021 01:44 AM
From: Gorazd Kikelj
Subject: Clearpass - Adjust Expire time

Did you try with

Authorization;[Guest User Repository]ExpireTime

attribute?

Best, Gorazd

------------------------------
Gorazd Kikelj

Original Message:
Sent: Jul 17, 2021 05:08 PM
From: Philip Wightman
Subject: Clearpass - Adjust Expire time

Seems this topic has been covered a lot but I have not found a solution to this scenario...

Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?

Normal flow:

- Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value. 
- Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role  Not the Guest Database ExpireTime)

Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.

How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

A new default service was added in 6.9 I think called "[Device Registration Disconnect]"
You can modify this service and enforcement policy to accomplish this task.

Essentially, if you've created a new MAC Create/MacTrac Create custom page for the Guest User profile, Copy the Service, Update the Application:ClearPassPage-Name Value(s).
Copy the Existing [Device Registration Disconnect] policy, and update it to also update the endpoint MAC-Auth Expiry just like you would with the captive portal authentication. 

Original Message:
Sent: Jul 17, 2021 05:08 PM
From: Philip Wightman
Subject: Clearpass - Adjust Expire time

Seems this topic has been covered a lot but I have not found a solution to this scenario...

Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?

Normal flow:

- Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value. 
- Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role  Not the Guest Database ExpireTime)

Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.

How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

This isn't a direct answer, but should give you some pointers.

Historically the guest's expiry time was recorded in the associated device's Endpoint repository (MAC-Auth Expiry attribute - I believe Ben Van Zeggelaar came up with this solution back in 2013), along with the Username and Guest Role ID attributes, at registration time. A limitation of this approach is that subsequent changes in the guest's expiry time are not reflected in the Endpoint.

To address this I have taken a different approach. I still record the Username and Guest Role ID in the Endpoint but directly reference the guest's expiry time. To achieve this I've created a new [Guest User Repository] Attribute filter. The key thing is the SQL that extracts the guest's expiry time based on the Connection:Client-Mac-Address-NoDelim value - this is "normalized" to the correct format for the PostgreSQL database (I realise this should be Username but I can't guarantee this will be in the correct format):

 
The returned attributes are exposed in ClearPass in the following manner:

SQL Value	ClearPass attribute name	Data Type
remaining_expiration	MAC_ExpiresIn	Integer64
expire_time	MAC_ExpireTime	DateTime
role_id	MAC_RoleID	Integer

 

Within the Guest MAC-Auth service I can then add the [Guest User Repostory] as an Authorization Source (this should already be there). Within the RoleMapping I can build a condition that verifies whether this device's associated guest has expired:

(Endpoint:Guest Role ID  EQUALS  251) AND (Authorization:[Time Source]:Now LESS_THAN %{Authorization:[Guest User Repository]:MAC_ExpireTime})

 

 

------------------------------
Derin Mellor
------------------------------

Original Message:
Sent: Jul 17, 2021 05:08 PM
From: Philip Wightman
Subject: Clearpass - Adjust Expire time

Seems this topic has been covered a lot but I have not found a solution to this scenario...

Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?

Normal flow:

- Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value. 
- Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role  Not the Guest Database ExpireTime)

Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.

How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Derin - Brilliant! This sounds to be in line with what I am looking for. I will test this out and report back results. 

Thanks much!

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------

Original Message:
Sent: Jul 19, 2021 04:51 AM
From: Derin Mellor
Subject: Clearpass - Adjust Expire time

This isn't a direct answer, but should give you some pointers.

Historically the guest's expiry time was recorded in the associated device's Endpoint repository (MAC-Auth Expiry attribute - I believe Ben Van Zeggelaar came up with this solution back in 2013), along with the Username and Guest Role ID attributes, at registration time. A limitation of this approach is that subsequent changes in the guest's expiry time are not reflected in the Endpoint.

To address this I have taken a different approach. I still record the Username and Guest Role ID in the Endpoint but directly reference the guest's expiry time. To achieve this I've created a new [Guest User Repository] Attribute filter. The key thing is the SQL that extracts the guest's expiry time based on the Connection:Client-Mac-Address-NoDelim value - this is "normalized" to the correct format for the PostgreSQL database (I realise this should be Username but I can't guarantee this will be in the correct format):

SELECT CASE WHEN expire_time>now() THEN CAST(EXTRACT(epoch FROM (expire_time-NOW())) AS INTEGER)

            ELSE 0

       END AS remaining_expiration, expire_time::timestamp,

       attributes->>'Role ID' AS role_id

FROM tips_guest_users

WHERE ((guest_type='USER') AND (user_id='%{Connection:Client-Mac-Address-NoDelim}') AND (app_name!='Onboard'))

 
The returned attributes are exposed in ClearPass in the following manner:

SQL Value	ClearPass attribute name	Data Type
remaining_expiration	MAC_ExpiresIn	Integer64
expire_time	MAC_ExpireTime	DateTime
role_id	MAC_RoleID	Integer

 

Within the Guest MAC-Auth service I can then add the [Guest User Repostory] as an Authorization Source (this should already be there). Within the RoleMapping I can build a condition that verifies whether this device's associated guest has expired:

(Endpoint:Guest Role ID  EQUALS  251) AND (Authorization:[Time Source]:Now LESS_THAN %{Authorization:[Guest User Repository]:MAC_ExpireTime})

 

 

------------------------------
Derin Mellor

Original Message:
Sent: Jul 17, 2021 05:08 PM
From: Philip Wightman
Subject: Clearpass - Adjust Expire time

Seems this topic has been covered a lot but I have not found a solution to this scenario...

Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?

Normal flow:

- Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value. 
- Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role  Not the Guest Database ExpireTime)

Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.

How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.

------------------------------
Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
------------------------------