last person joined: 16 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).

Guest Sponsorship Quotas

  • 1.  Guest Sponsorship Quotas

    Posted Dec 07, 2015 07:25 AM

    Hello all,


    I'm going to start off by outlining the goal...


    Clearpass Requirement: In this case, the customer wants to check how many times specific members of staff have sponsored guest users. At any given moment in time, staff may sponsor up to 5 guests (no-more), and the guest accounts expire automatically at 24 hours. We're also making use of mac-caching in this case.

    I'm fairly open to suggestion regarding how "rejections" could be sensibly handled. In our perfect world, the initial registration request page the guest is filling out, might return a validation error like "your sponsor has sponsored too many guests", but I suspect that needs complex Java to achieve it?

    Worst case, we could work with a simple RADIUS "reject" outcome at login-page (post-register), which hit an authentication service counting the number of instances where a sponsor has been linked to a guest? I know this option isn't great (bounce to reg-page), but I'll take any suggetions into account!


    Constraints: I'm ok with CPPM, but not good with SQL or Java I'm afraid!!!


    If anybody has a known working option to deliver against this that's simple to "cut and paste" that would be great! Ideally, with the web-validation bit?!?! Otherwise...


    If not: I've already got the Guest engine adding the sponsor's email into the endpoints database entries using the "Enabled By" attribute. What I guess I need next, is an example of a filter/query for the endpoint auth-source which is counting the number of devices with matching sponsor email value ("Enabled By") and where the "mac-auth expiry" is >24 hours. Is that a good way to do it?!?!


    Thanks in advance!