Security

 View Only
  • 1.  ClearPass Time Source Now Minus 3 Days

    Posted Nov 01, 2016 10:56 AM

    Good morning everyone,

     

    I configured ClearPass to integrate with an existing AirWatch solution. I tried configuring a condition in Role Mapping that would verify the device had checked in to AirWatch in the past 3 days from that authentication.


    I went to Time Source and copied the "now_plus_1day" attribute and modified it as follows:

     

    Now Plus 1 Day

    SELECT (EXTRACT (EPOCH FROM NOW() + interval '1 days'))::int AS now_plus_1day;

     

    Now Minus 3 Days

    SELECT (EXTRACT (EPOCH FROM NOW() - interval '3 days'))::int AS now_minus_3days;

     

    I also updated the Name and Alias to match. I left the Data Type as Integer. 

     

    When an authentication comes through, the access tracker logs show the entry as a string of numbers and not a date/time stamp. The Last Checked In for AirWatch in the logs is a date/time stamp. Due to this it is not interpreting it the way it should and we are getting an "out of compliance" role instead of "airwatch-valid" role. 

     

    Any recommendations or anything I missed to accomplish this? Would anyone have a working example?

     

    Thank you.

     



  • 2.  RE: ClearPass Time Source Now Minus 3 Days
    Best Answer

    Posted Nov 01, 2016 11:01 AM

    It's likely due to the format of the timestamp.

     

    Try this instead:

     

    SQL query:

    select localtimestamp(0)+ interval '3 days' as three_days_from_now

    Then create the attribute to match.

    mharing-3daysfromnow.PNG



  • 3.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Nov 01, 2016 11:06 AM

    Thanks I will give that a try, would the minus symbol work to incorporate "3 days ago" instead of "3 days from now"? 



  • 4.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Mar 09, 2017 08:10 AM

    Hi @mharing, I want to acomplished the same with the "Last check in" attribute, I was wondering how did you achive this, what I want to do is for example a PC last check in was 3 day ago assigned a different role and send it to a Quarentine VLAN, can you post the SQL script you used to have an example? thanks a lot.



  • 5.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Mar 09, 2017 08:32 AM

    Is your "Last Check In" attribute using epoch or human readable time?



  • 6.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Mar 09, 2017 08:40 AM

    I would like to test both, right now I have a filter that adds the "Last Check In" attibute to authenticated machines this is the query that I'm using (Time Source)

     

    select localtimestamp(0)- interval '3 days' as three_days_ago

     

    Is returning this time format:

     

    2017-03-09 08:33:07



  • 7.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Mar 09, 2017 08:49 AM

    So essentially, you just need an enforcement rule that says: 

     

    Endpoint:Last Check In   LESS_THAN %{[Time Source]:Your Attribute}

     

    You may need to flip that logic depending on what you're trying to do.



  • 8.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Mar 09, 2017 08:53 AM

    I think we used the GREATER_THAN, but yes it was the exact same condition:

     

    If Last Check-In to AirWatch is Greater Than 3 days ago (4 days +) Than assign role "Out of Compliance". 

     

    In enforcement policy: If role = Out of Compliance than assign Quarantine VLAN/User-role.



  • 9.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Mar 09, 2017 08:59 AM

    Great!, thanks for your help, that's why I love this community :) 



  • 10.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Mar 09, 2017 08:58 AM

    Thanks a lot for your help, will test it that way and post resutls.



  • 11.  RE: ClearPass Time Source Now Minus 3 Days

    Posted Nov 01, 2016 08:56 PM

    Tested the string you provided, and it worked perfectly. Thank you for your help!