I know this is an old thread, but I had this same problem and was able to solve it with an internal API call, which is actually easier to set up than it sounds. The issue is that it
is not possible to do this with a simple post-auth enforcement profile utilizing the Expire-Time-Update attribute as I had originally thought, Clearpass will only let you reduce the expire_time with this attribute, not extend it. However you can effectively extend the expire_time by setting up an HTTP Context Server Action Dictionary and referencing it in an Enforcement Profile. You will also need to add a Time Source filter that matches the time you want to extend by (e.g. Now Plus 30days) and add the Time Source as an authorization source in your service. In my case I extended expiration by 1 year, here's how i did it:
1) Create a Time Source filter for the time period you want to extend by
Configuration -> Authentication -> Sources -> [Time Source] -> Attributes Tab -> Add More Filters
Filter Query: SELECT (EXTRACT (EPOCH FROM NOW() + interval '1 years'))::int AS now_plus_1year;
now_plus_1year Now Plus 1year Integer
2) Create a context server dictionary entry to perform the API action:
Administration -> Dictionaries -> Context Server Actions -> Add Generic HTTP Context Server
Action Tab
Server Name: localhost
HTTP Method: PATCH
URL: /api/guest/username/%{Authentication:Username}
Header Tab
accept = */*
content-type = application/json
Content Tab
Content-Type: JSON
Content:
{
"expire_time": "%{Authorization:[Time Source]:Now Plus 1year}"
}
Attributes Tab
AuthTime = %{Date:Date-Time}
3) Create an enforcement profile that references this dictionary entry to perform the action.
Configuration -> Enforcement -> Profiles -> Add HTTP Based Enforcement
Attributes Tab
Target Server = localhost
Action = Extend Expiration
4) Add enforcement profile to your enforcement policy
Open your enforcement policy and add the enforcement profile created in step 3. This will perform the API action and extend the expire_time attribute on the guest user account.
Original Message:
Sent: Feb 03, 2017 11:29 AM
From: David Gratton
Subject: ClearPass Guest Device Change Expire Time
HI All
I am trying to extend a guest account expire time using an enforcement profile. My enforcement policy is "Expire-Time-Update - GuestUser = <Minutes until expiry>", but it will only let me reduce the expiry time e.g. make it sooner and not extend it. Is this by design or am I doing something wrong?
ClearPass is version 6.5.7
Thanks
Dave