Security

 View Only
  • 1.  Guest with MAC Caching - endpoint not deleted

    Posted Feb 28, 2018 02:54 AM

    HI 

     

    I have a customer with clearpass guest with Mac Caching. When user account expires, the endpoint is still present in Clearpass - so the next time the guest logs in - the guest user is expired, but endpoint still present so the guest is MAC authenticated, but since guest user account is disabled station is still in network not getting an IP, rather than being redirected to captive portal. 

     

    Shouldn't endpoint be deleted when cache and guest user account expires? 



  • 2.  RE: Guest with MAC Caching - endpoint not deleted
    Best Answer

    Posted Feb 28, 2018 07:00 AM
    The MAC address won’t be deleted from the endpoint DB and it shouldn’t impact the decision to redirect the user but it depends on how you have your enforcement policy.

    Can you share your role mapping and enforcement policy?



    Thank you

    Pardon typos sent from Mobile


  • 3.  RE: Guest with MAC Caching - endpoint not deleted

    Posted Feb 28, 2018 07:35 AM

    Hi

     

    thanks for getting back to me. Just had a session going through the setup on Clearpass and there a couple of things. And - you're correct - some of it originated from Enforcement Profile.

     

    1. the MAC auth enforcement policy was correct, apart from that ROLE MAPPING for guest had an enforcement profile giving the station an non-existing Aruba User Role - so the aruba role giving Captive Portal access wasn't added and user was placed in a default user role with no CP

     

    2. When that was fixed we noticed that the initial role in Aruba Controller had the wrong CP Profile added - wizard had changed this; so default guest user role was added rather than the customized guest role

     

    WIth those two tweaks - it worked

    lessons learned

     

    thank you



  • 4.  RE: Guest with MAC Caching - endpoint not deleted

    Posted Feb 28, 2018 11:02 AM

    I think Aruba expects you would use the Known Endpoints Cleanup to remove those records. The interval is based on when the Known Endpoint record was last modified.

     

    We cannot currently do that so I made a REST API script that I run manually to cleanup old Guest Endpoints. It checks all Known Endpoints. If there is a Guest-Role-ID attribute, it checks to see of the Guest Account exists. If the Guest Account does not exist, it deletes the Endpoint.



  • 5.  RE: Guest with MAC Caching - endpoint not deleted

    Posted Mar 30, 2019 09:46 AM

    can you share the script that you wrote?  I'm facing the similar challenges and need a mechanism (programmatic access) to delete guest endpoints.



  • 6.  RE: Guest with MAC Caching - endpoint not deleted

    Posted Apr 01, 2019 08:30 AM
      |   view attached

    I just quickly threw this together. As mentioned, I did "best guess" on the operator profile access. It is a little rough, but it works for us.

     

    Please let me know if I need to adjust anything.

     

    Attachment(s)



  • 7.  RE: Guest with MAC Caching - endpoint not deleted

    Posted Apr 02, 2019 10:03 AM

    cool, I always want to do some real API call to clearpass, you have provide a good example for that. let me check them out.  thx



  • 8.  RE: Guest with MAC Caching - endpoint not deleted

    Posted Apr 02, 2019 10:06 AM

    @aphuang2015 wrote:

    cool, I always want to do some real API call to clearpass, you have provide a good example for that. let me check them out.  thx


    I know most networking stuff is happening in Python right now but I acrually started with the eTIPs API using a proof of concept from Avenda thet moved over to Aruba when they bought eTIPs. I just tend to adjust as needed.

    Laziness, I giess.