Security

Hi all,

The "Guest MAC Auth Caching" profiles have different attributes if you select "Aruba" or "Cisco" in when you create a Guest Authentication with MAC Caching policy using the Service Template and Wizard. This profile updates the Endpoint MAC-Auth Expire time with the value listed in the Guest User Repository. I have a customer who has both Cisco and Aruba Wireless Controllers using ClearPass Guest.

Aruba
Uses "ExpireTime"
This is listed in the calendar format

Cisco
Uses "RemainingExpiration"
This is listed in seconds.

Questions
1 - Does the MAC Caching role mapping policy still work correctly when using "RemainingExpiration"? (Now DT LESS_THAN Endpoint:MAC-Auth Expiry)

2 - Is there any impact to the Cisco Guest MAC Caching workflow if I change it from RemainingExpiration to ExpireTime?

The endpoint DB would be much easier to troubleshoot if it is listed in the same calendar format as the Aruba clients.

------------------------------
Brett V
------------------------------

I would not see why these mappings would use different attributes, quite sure if you change the role mapping to use the same, that it will just work (if there are no other rolemappings that are different between Aruba and Cisco). The templates may be just different implementations for the same task. I know that the templates for guest and MAC Caching have changed a few times in the past. It may be that it was changed in the Aruba template but not on the Cisco template.

For all template generated policy, you should be able to understand it and adapt it to your own needs. In the end, its just rules that implement a specific functionality and you can do the same task in different ways. There may even be no functional difference at all, and you could adapt it to your own preference.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 22, 2024 07:33 PM
From: BrettV
Subject: ClearPass Guest Authentication with Mac Caching - ExpireTime vs RemainingExpiration - attribute differences

Hi all,

The "Guest MAC Auth Caching" profiles have different attributes if you select "Aruba" or "Cisco" in when you create a Guest Authentication with MAC Caching policy using the Service Template and Wizard. This profile updates the Endpoint MAC-Auth Expire time with the value listed in the Guest User Repository. I have a customer who has both Cisco and Aruba Wireless Controllers using ClearPass Guest.

Aruba
Uses "ExpireTime"
This is listed in the calendar format

Cisco
Uses "RemainingExpiration"
This is listed in seconds.

Questions
1 - Does the MAC Caching role mapping policy still work correctly when using "RemainingExpiration"? (Now DT LESS_THAN Endpoint:MAC-Auth Expiry)

2 - Is there any impact to the Cisco Guest MAC Caching workflow if I change it from RemainingExpiration to ExpireTime?

The endpoint DB would be much easier to troubleshoot if it is listed in the same calendar format as the Aruba clients.

------------------------------
Brett V
------------------------------