Security

 View Only
last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass not setting MAC-Auth Expiry attribute when Guest account never expires

This thread has been viewed 16 times
  • 1.  ClearPass not setting MAC-Auth Expiry attribute when Guest account never expires

    Posted Aug 03, 2022 04:21 PM
    Hello,

    We're using ClearPass 6.10.5.185484 and we noticed a possible bug. When we create a "Guest Authentication with MAC Caching" services through Configuration > Service Templates & Wizards, the "MAC-Auth Expiry" attribute is empty if the Guest account has no expiration and we set the "MAC Caching Settings" to expire when the Account Expires and the Captive Portal is shown everytime the user enter the network.

    Here's the Guest account (notice the "Sem expiração" [No expire] flag):


    Notice that we can see at the Access Tracker that no MAC-Auth Expiry was defined. When we go to the Endpoint repository and check the Endpoint, there's no "MAC-Auth Expiry" attribute (it isn't even empty - it's simply not there!).


    After we change the MAC Cache Settings at the service template to six months from now, it's added successfully at the Endpoint entry at the Endpoint Repository as reflected at the Access Tracker:


    I do believe that if the Guest account do not have an expiration date, it should set the MAC-Auth Expiry to infinity.

    I believe that as the service template assistant creates the service to check the MAC-Auth Expiry parameter and it's empty, the "[MAC Caching]" role isn't delivered to the user and the Captive Portal is shown everytime to the end user.


  • 2.  RE: ClearPass not setting MAC-Auth Expiry attribute when Guest account never expires

    EMPLOYEE
    Posted Aug 04, 2022 09:41 AM
    You may need to change the policy to support this scenario. Having an infinite MAC caching seems quite rare to me.

    You could probably check for the field to exist but be empty in the MAC Caching rolemapping/policy; or set MAC caching to an actual value if it's empty in the captive portal webauth policy. Support can probably help you if you can't fix it yourself.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: ClearPass not setting MAC-Auth Expiry attribute when Guest account never expires

    Posted Aug 04, 2022 10:30 AM
    Hello Herman,
    I could fix it by myself but I decided to report it because if I use the Service Template & Services again, it will replace the modifications that I had done with the ones of the Service Template. It's really uncommon have infinity MAC-Auth Expiry duration, but if the account can have no expiration, the MAC-Auth Expiry should reflect this too or set it to sometime later into the future, like 2099. I can understand it can bring confusion because after the first logon it will make MAC-Auth forever with the same user account until it's guest account is disabled, but the default behavior from the Service Templates & Services that is opening the Captive Portal all the time makes beginners to think that MAC Caching isn't working.