Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Guest accounts is expired, not deleted

Jump to Best Answer
  • 1.  Guest accounts is expired, not deleted

    Posted Apr 20, 2020 09:19 AM

    Hi. 

    We want to be able to create accounts for guests that expire at midnight and get's deleted. We don't want users to use the manage account tab at all because that isn't working for our users. Believe me, we have tried...

     

    This works:

    Sponsors are able to create guest accounts, an email is sent out with account details to both the sponsor and the guest, the guest can connect to an open wireless network, get redirected to a portal and login. The account itself expire at 23:59 (11:59pm) each night. 

     

    This doesn't work:

    Since the account is only expired and not deleted, the same guest can't get an account created since "the user is already registered". I have set the global Cluster-Wide Parameter for Expired guest accounts cleanup interval to 1 so the account will be deleted, but it's 1 day to late so the account is disabled for 24 hours. 

     

    Cluster-Wide ParametersCluster-Wide Parameters When a user creates an account, the custom fields "modify_expire_time" is set to "today 23:59" and this value work since the account expire at midnight. 

    Custom field "modify_expire_time"Custom field "modify_expire_time" The field "do_expire" is also set and the value 4 is chosen and this is where I think we have some error. I can see that a created account is getting this value assigned, but the account doesn't get deleted. 

    Custom field "do_expire"Custom field "do_expire"

    Can someone please give us some information in what can be wrong in our setup?



  • 2.  RE: Guest accounts is expired, not deleted

    Posted Apr 20, 2020 09:32 AM
      |   view attached

    Have you tried setting the expire action to delete? See attached screenshot.

     

     



  • 3.  RE: Guest accounts is expired, not deleted

    Posted Apr 20, 2020 09:59 AM

    Hi Dustin/yurezplace,

     

    The Expire action option in Guest manager is default when you are not setting up/enabling the Do_expire Field in the page.

     

    the Custom (page configuration) always overcomes with default configurations.

     

    but if you are setting up the do expire value you need to make sure of few things.

     

    The do expire values should appear in Post authentication enforcement in access tracker RADIUS response/output.

     

    You can enabled the auto_update_account option in the form of this page to allow the users to create(update) even if it exists previously. (If you need and want to)

     

    Expired Guest account Cleanup interval definitely works for last 24 hours, so it means if you are deleting the account today before 12.01 then it will take remaining hours for cleanup interval +1 day(24 hour) to delete the account under Cleanup interval.

     

    Make sure you are applying the Post authentication enforcement with do_expire value exist in output.

     

     



  • 4.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 02:46 AM

    When I configured this as a service, I created this using Clearpass built-in guide. 

    The following configuration was added in the service called "User Authentication with MAC Caching":

    Service Template Automatic ConfigurationService Template Automatic ConfigurationIf I then click on rule "54" in the picture above I can see that an automatic value for Expiry-Check is in place. 

    do_expire ruledo_expire ruleThis unfortunaly doesn't work so I tried to specify the value to this but the account doesn't get deleted...

    do_expire_custom.png

    Any help is appreciated!

     



  • 5.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 07:08 AM

    Hi ,

     

    Could you please share the RADIUS response from Output tab on radius access tracker request?

     

     



  • 6.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 07:18 AM

    Here is the output:

    logged_in_guest_output.png

     

    If an account is created and a user never login to the network, should the Policy Manager still send an deauth request to itself (Guest part) of Clearpass or how should this work?



  • 7.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 07:26 AM

    Hi,

     

    once we do apply the do_expire as 4 to the user account , after we apply that enforcement to the user login , post authentication module in ClearPass monitor the session check and then apply upon hitting the condition.

     

    i think in your case you have set the condition of 0 MB bandwidth usage /Today which will be always False hence post authentication module is not taking the action and deleting the guest user account.

     

     



  • 8.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 07:49 AM

    I have now changed the policy so no bandwith limit is enforced in the post_authentication. 

    output.png

     

    This is a login request using a new account I created. 

    I will see tomorrow if this take effect. 



  • 9.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 08:09 AM

    Hi 

     

    I don't think so these change will give you the results.

     

    Please make sure the page with which you are creating the guest account do have the do_expire field enabled in the form with initial value configured as 4.

    do_expire.JPG

     

    and when you create an account through the same page it should be visible under managed accounts.

     

    manage_accounts.JPG

     

     



  • 10.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 08:29 AM

    The account is getting a 4 as an output, but the output I showed before is from Clearpass Policy Manager Access tracker, not the guest tracker. 

    This is a print screen from the guest tracker and I have had a 4 for a long time and the setting doesn't apply. 

    guest_summary.png

     When I check the custom page for when I create an account, the field is hidden to the user and still applied. 

    custom_4.png

     



  • 11.  RE: Guest accounts is expired, not deleted

    Posted Apr 22, 2020 10:31 AM

    Hi,

     

    Please work with TAC to get a faster resolution.

     

    With your current configuration it should work until and unless there are no issues with Post-authentication module which needs to get checked from backend.

     



  • 12.  RE: Guest accounts is expired, not deleted
    Best Answer

    Posted Jun 08, 2020 03:36 AM

    Hi everyone. 

    I just want to say that the issue is solved after contacting Aruba TAC. I needed to edit the "do_expire" BASE field, not the custom field that is actually used in the sponsor portal for some reason. After this edit with an added "4", everything works.