You want to take a look at the cleanup intervals topic in the user guide.
Just a note though...3000 is nothing. If you had millions, then we might start talking about system cleanup being a priority.
Original Message:
Sent: Aug 12, 2024 03:37 PM
From: Ewerton.Lopes
Subject: automatically delete endpoints with expired clearpass authentication
Hi,
Thank you for the detailed response. I have a quick question regarding the management of unused endpoints. If we implement the suggested approach using the custom queries and limit checks, what will happen to endpoints that are no longer in use? Will they be retained in the database indefinitely, or will they be automatically deleted after a certain period of inactivity?
Additionally, we currently have around 3000 endpoints registered in our database, and about half of them have not been used in over a month. However, they are not being automatically deleted. How can we configure ClearPass to automatically remove these stale endpoints to prevent the database from becoming cluttered?
Your guidance on this would be greatly appreciated.
Thanks in advance for your clarification!
Original Message:
Sent: Aug 12, 2024 03:00 PM
From: Carson Hulcher
Subject: automatically delete endpoints with expired clearpass authentication
That's not how endpoint cleanup works. You'll want to enable cleanup so that endpoints not seen for a specified amount of time are deleted, that way you prevent the growth of that table over months and years to a truly ridiculous size.
If you want to limit a user to a certain number of devices to be connected, then use a concurrent lookup method rather than the (old and very dated) canned method that is provided in the wizard. There is already an "Active-Sessions" attribute available through the Insight auth source, I'm not a fan of that one because of the time period the query looks at.
My custom queries for an Aruba wireless environment, will pull the current number of sessions associated with a specific username:
******
[Insight Repository]
New filter "Custom-ConcurrentSessions-PreAuth-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings for Application/WebAuth where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND LEFT(ssid,LENGTH('%{Application:WebLoginURL:essid}')) = '%{Application:WebLoginURL:essid}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-PreAuth-User, Integer
******
[Insight Repository]
New filter "Custom-ConcurrentSessions-User" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Authentication:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Authentication:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-User, Integer
******
[Insight Repository]
New filter "Custom-ConcurrentSessions-Endpoint" to find concurrent sessions currently active through interim accounting updates
To be used in role mappings where %{Endpoint:Username} will exist
SELECT count(distinct calling_station_id) as active_sessions
FROM radius_acct
WHERE end_time IS null
AND username = '%{Endpoint:Username}'
AND ssid = '%{Connection:SSID}'
AND calling_station_id != '%{Connection:Client-Mac-Address-NoDelim}'
AND updated_at > now() - interval '12 minutes'
- active_sessions: ActiveSessions-Endpoint, Integer
These are used for three separate services: pre-auth, user auth, and MAC auth.
You're also going to probably want to make use of the simultaneous_use
field on the guest user account so that you can make exceptions to the normal limit of devices. That requires having the value available so that you can compare against how many sessions are currently active.
******
[Guest User Repository]
New filter "Custom-SimultaneousUse-User" to return the simultaneous_use attribute based on Authentication:Username
SELECT tgu.attributes ->>'simultaneous_use' AS simultaneous_use_user
FROM tips_guest_users as tgu
WHERE ((tgu.guest_type = 'USER')
AND (tgu.user_id = '%{Authentication:Username}')
AND (app_name != 'Onboard'))
- simultaneous_use_user: SimultaneousUse-User, Integer
******
[Guest User Repository]
New filter "Custom-SimultaneousUse-Endpoint" to return the simultaneous_use attribute based on Endpoint:Username
SELECT tgu.attributes ->>'simultaneous_use' AS simultaneous_use_endpoint
FROM tips_guest_users as tgu
WHERE ((tgu.guest_type = 'USER')
AND (tgu.user_id = '%{Endpoint:Username}')
AND (app_name != 'Onboard'))
- simultaneous_use_endpoint: SimultaneousUse-Endpoint, Integer
Examples for role mapping:
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Aug 12, 2024 02:28 PM
From: Ewerton.Lopes
Subject: automatically delete endpoints with expired clearpass authentication
Thank you for your response.
The issue involves the MAC-Auth Expiry
attribute within ClearPass. This attribute is automatically assigned to endpoints when a user registers a device. We created an expiration service intended to delete old or unused endpoints based on this attribute, but it is not functioning as expected.
Specifics:
- Attribute:
MAC-Auth Expiry
, which should indicate when an endpoint's MAC authentication has expired. - Authentication Flow: This is part of a flow where users are limited to registering a maximum of 3 devices. When they attempt to register a new device, and they already have 3 registered, they receive an error due to this limitation. To mitigate this, we want to automatically delete endpoints with expired
MAC-Auth
based on the MAC-Auth Expiry
attribute.
However, the deletion process is not working as intended, and the endpoints are not being removed. Additionally, when trying to implement a script via ClearPass Extensions to handle this, I encountered an internal server error (500) during the extension installation.
Let me know if you need further details or clarification.
Thank you!
Original Message:
Sent: Aug 12, 2024 11:07 AM
From: Carson Hulcher
Subject: automatically delete endpoints with expired clearpass authentication
Can you give some specifics, like what attribute are you talking about, what authentication flow is this for?
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Aug 09, 2024 02:08 PM
From: Ewerton.Lopes
Subject: automatically delete endpoints with expired clearpass authentication
Hello everyone, I would like to ask a question about the automatic deletion of endpoints in clearpass. There is a function created to inform the date on which the authentication will expire, however, the endpoint remains registered, and I have to manually delete the endpoint so that a customer can insert a new device. Is there any way to do this automatically?