Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Guest User Re-Authentication Issue

  • 1.  Guest User Re-Authentication Issue

    Posted Jul 17, 2014 05:12 AM



    We created a guest SSID with Captive Portal and Self Registration page.

    We set the expiry date on Guest accounts to 100 days via the Guest Manager and Register Page

    on Self Registration.

    A Guest MAC authentication service was created to remember guests once they leave the network

    and then return to the network.

    This worked for a number of hours following the changes that day.


    However guest users returned to the network the following day, they had to re-authenticate via Captive Portal again.


    The only thing which we think may be the issue is the Re-authentication Interval set in the SSID, it is currently 6 hours.


    What do we need to change to have to guest users re-authenticate after 100 days instead of 6 hours for example?


    Thanks in advance.

  • 2.  RE: Guest User Re-Authentication Issue

    Posted Jul 17, 2014 07:51 AM

    Please see below (alternatively, use the service templates as mentioned in the beginning of this article).


    This article describes an alternative MAC Caching service for Clearpass. Although the MAC Caching Service created by the service templates works fine, some find it difficult to comprehend and do not want to depend on Insight as authorization source.


    The MAC Caching service discussed here does not use Insight as authorization source. Instead, it makes use of an Endpoint attribute containing the MAC expiry date. This attribute is checked against the authentication date. If the authentication date is before the Expiry date then access is granted, otherwise denied (or redirected to a captive portal).


    In this article we assume two types of users for which MAC caching is enabled:

    • Guests: users defined in, and authenticated against the Guest User Database and have the role [Guest]. The MAC Expiry will be set to the Guest Account Expiry
    • Employees: defined in, and authenticated against an external database, like Active Directory and have the role [Employee]. The MAC expiry will be set to a fixed interval, for example 6 Months.

    The flow will be discussed in 'reverse order' and not in the configuation order. At the end of this article, the steps will be listed in the right order




    This service makes use of an Endpoint attribute holding the MAC Cach expiry date.

    Because this solution uses Endpoint attributes, care should be taken when using this solution with other systems updating Endpoint attributes. An API call to update an Endpoint attribute may not take into account existing Endpoint attributes. And example is MDM systems updating Endpoint objects.


    MAC Authentication Policy


    The policy will simply look like this:

    BvZ MAC Caching Policy.png

    The Policy will only allow authentications which have the role [MAC Caching].

    If MAC Caching is applied, different enforcement profiles are used depending on the role. In the example above, an employee will have the aruba user-role 'MAC-Staff' applied and guest will have the aruba-user-role 'MAC-Guest' applied. This can be entirely customised accodrding the customer's policy and equipment.

    The default profile is [Deny Access Profile] in the above example. Alternatively, the default profile can be set to an enforcemnt profile which enforces a captive portal. For Aruba controllers this can be achieved by returning an aruba-user-role='guest-logon' for example.

      Role Mapping policy

    BvZ MAC Caching RoleMapping.png


    As you can see, the Role Mapping uses a couple of new atributes to determine if the role [MAC Caching] is assigned.

      Endpoint Attribute

    %{Endpoint:MAC-Auth Expiry} is a new attribute defined in the Endpoint. Goto Administration -> Dictionaries - Attributes and add an Endpoint attribute as below:

    BvZ MAC Caching EndpointAttr.png

    This attribute is updated by a Post Authentication Enforcement Policy in the Policy of the Web Login Service.

      Post Authentication Enforcement Profiles

    For Guests, the MAC Expiry will be set to the same value as the Guest Account Expiry:

    BvZ MAC Caching -GuestEnf.png


    Note that 'ExpireTime' needs to be added to the the [Guest User Repository]. More about that later.

    For Employees, authenticating against another auth source, the account expiry is not available. Therefore the MAC Expiry will be set to a fixed interval determined by the customer's security policy. In this example, the customer has decided that MAC addresses for employees are allowed to be cached 6 months after the Web Login.

    BvZ MAC Caching EmployeeEnf.png


    In the above example, the MAC Expiry is set to a fixed interval after the Web login authentication time. See hereafter.

      Authentication/Authorization Sources

    %{Authorization:[Time Source]:Today} is a new attribute defined in the Authentication Source [Tme Source].

    BvZ MAC Caching TimeSource1.png

    The attribute Today is defined as:

    Bvz MAC Caching TimeSource2.png

    The SQL: select localtimestamp(0) as today;

    The attribute ' Six Months From Now' is defined as:

    BvZ MAC Caching TimeSource3.png

    The SQL: select localtimestamp(0) + interval '6 months' as sixmonths;

    You can define other intervals as you wish by changing the interval in the SQL Query. For example if you want to set the MAC Auth Expiry to 7 days, the SQL query will be like:

    select localtimestamp(0) + interval '7 days' as sevendays;

    Next map the 'sevendays' to the Alias "Seven Days From Now" for example.


    As mentioned earlier, the Guest User Acount Expiry time needs to be made avaiable from the [Guest User Repository]:

    Add the highlighted string (expire_time::timestamp) to the existing Authentication query and map this to Alias ExpireTime as shown below:

    BvZ MAC Caching GuestRepository.png

      Putting it all together


    • Add the Endpoint attribute MAC-Auth Expiry
    • Add the ExpireTime attribute to the authentication source [Guest User Repository]
    • Add the attributes today and a fixed interval attribute to the Authentication source [Time Source]
    • In the existing Web Login Service, add the post authentication enforment to update the Endpoint attribute MAC-Auth Expiry
    • In the existing Web Login Service, add [Time Source] as an authorization source. You can remove [Insight] as authorization source
    • Create the MAC Athentication policy:

    BvZ MAC Caching Service.png

    • Ensure the Authentication source [Time Source] is added as an authorization source

  • 3.  RE: Guest User Re-Authentication Issue

    Posted Jul 18, 2014 12:17 PM

    The links for the images don't work.

  • 4.  RE: Guest User Re-Authentication Issue

    Posted Jul 21, 2014 11:06 AM

    We created a Guest MAC authentication service in addition to the existing 2 services for PreAuthentication for Captive Portal and for Post Authentication.


    The 2 aboves services take effect first then one aguest user leaves the network, they don't need to re-register and their phone simply reconnects by authenticating the MAC address which has already been added to Endpoint database on ClearPass.

  • 5.  RE: Guest User Re-Authentication Issue

    Posted Oct 08, 2014 03:17 PM

    Interesting MAC caching option!

    The links to the images are not working (permission denied).

    Could you provide another way to see the images?

    Thank you

  • 6.  RE: Guest User Re-Authentication Issue

    Posted Dec 10, 2014 09:12 AM
      |   view attached

    If you cannot see the images above, see this attachment...