Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Guest Authentication with Mac Caching - ExpireTime vs RemainingExpiration - attribute differences

This thread has been viewed 22 times
  • 1.  ClearPass Guest Authentication with Mac Caching - ExpireTime vs RemainingExpiration - attribute differences

    Posted Jan 22, 2024 07:33 PM

    Hi all,

    The "Guest MAC Auth Caching" profiles have different attributes if you select "Aruba" or "Cisco" in when you create a Guest Authentication with MAC Caching policy using the Service Template and Wizard. This profile updates the Endpoint MAC-Auth Expire time with the value listed in the Guest User Repository. I have a customer who has both Cisco and Aruba Wireless Controllers using ClearPass Guest.

    Aruba
    Uses "ExpireTime"
    This is listed in the calendar format

    Cisco
    Uses "RemainingExpiration"
    This is listed in seconds.

    Questions
    1 - Does the MAC Caching role mapping policy still work correctly when using "RemainingExpiration"? (Now DT LESS_THAN Endpoint:MAC-Auth Expiry)

    2 - Is there any impact to the Cisco Guest MAC Caching workflow if I change it from RemainingExpiration to ExpireTime?

    The endpoint DB would be much easier to troubleshoot if it is listed in the same calendar format as the Aruba clients.

    ------------------------------
    Brett V
    ------------------------------



  • 2.  RE: ClearPass Guest Authentication with Mac Caching - ExpireTime vs RemainingExpiration - attribute differences

    EMPLOYEE
    Posted Feb 09, 2024 03:42 AM

    I would not see why these mappings would use different attributes, quite sure if you change the role mapping to use the same, that it will just work (if there are no other rolemappings that are different between Aruba and Cisco). The templates may be just different implementations for the same task. I know that the templates for guest and MAC Caching have changed a few times in the past. It may be that it was changed in the Aruba template but not on the Cisco template.

    For all template generated policy, you should be able to understand it and adapt it to your own needs. In the end, its just rules that implement a specific functionality and you can do the same task in different ways. There may even be no functional difference at all, and you could adapt it to your own preference.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------