How to configure self sponsored guest access with 5 minutes of initial access?


You might have a requirement where you want self-sponsored guest access wherein users will enter their email address, and they will get an email to sponsor them self. To allow the users to sponsor themselves you can give them 5 minutes of initial access and if they confirm the account they can continue to stay in the same role.

If they fail to sponsor their account or if they enter an invalid email address they should be disconnected after 5 minutes taking them back to the captive portal page.

This way you are making sure that the users are entering a valid email address and also making sure that you give them access to the internet to check their email and approve themselves.


We are going to achieve this by making use of a combination of returning a session timeout to the controller and role override of the guest account once the user sponsors them self.


First off you need to make sure that the MAC authentication server group on the Aruba controller is mapped as the ClearPass server. Then we also need to make sure that in the MAC authentication profile of the Aruba controller we check the box that says "Reauthentication" and also "Use server provided Re-authentication Interval" as shown in the screenshot below.


You also need to make sure that ClearPass is mapped as an RFC-3576 server on the corresponding AAA profile on the  controller.

Besides these settings the other settings on the Aruba controller are typical of any captive portal setup, making sure that captive portal server-group points to ClearPass.


Next we can move on to the ClearPass Guest Side of things where we configure the self-registration page with the appropriate fields as shown below. You just need to make sure that you include the email field in the form.

In the Sponsor Confirmation section


You need to make sure that you Enable "Require sponsor confirmation prior to enabling the account" and set the "Email Field" to "email" and not sponsor_email as the user himself is the sponsor in this case.

One more important piece of configuration is the Role Override in the same page, where after sponsorship the role would change to configured role helping us determine if the user has sponsored himself.



So, the role initially for the user account can be anything but the role after the user has sponsored his account is "[Employee]"


The 1st service on the ClearPass Policy Manager side of things is a MAC-Auth service where "CP-Self-Reg" is the name of the SSID

where we need to have an [Allow All MAC AUTH]


We need [Allow All MAC AUTH] because for any client that's connecting for the first time, we want to accept the authentication return 5 mins as the session time-out and put it in the captive portal role.

Once the user completes the registration process he will be allowed to login to the network and also receive an email through which he needs to sponsor himself to continue his stay on the network for more than the 5 minutes.

The next step is to configure a filter in the [Guest user Repository], you need to click on the repository and navigate to the Attributes tab


Under Attributes you need to click on "Add More Filters"


You need to put in a Filter Name and we are naming it "Role_Update_Check" it can be any name that makes sense to you.

The query that we need to put is

select attributes::json->>'Role ID' as Current_Role_ID from tips_guest_users where user_id='%{Endpoint:Username}'

The value we are fetching is called "Current_Role_ID" so that needs to be Name of the attribute and the Alias Name can be anything and we are calling it "Current Guest Role"

This query tells us if the user has sponsored their account or not, by fetching the current role id after the user sponsors himself.

You need to add [Guest User Repository] as the authorization source.

Under Roles you can have the following rules as shown in the screenshot to make sure that users who have already authenticated don't keep going back to the captive portal page.

Under Enforcement Policy you need to have the conditions as shown in the screenshot below

A brief explanation of the above rules, 

The 1st rule is for cached sponsored Guest users. The 2nd rule is for sponsored users to handle the auth request that comes after 5 minutes.

The 3rd rule is for handling users who have not sponsored their account to handle the auth request after 5 minutes.

The 4th rule is generic catch all rule that applies to all new users.

The Update to Unknown is to make sure that we don't get stuck in a loop trying to keep disconnecting the user.

The Update Role ID to 3 is to make sure that we tag the right Role to the Endpoint after the user sponsors their account.


The Session Timeout 5 minutes is an enforcement profile that returns a Radius:IETF Session-Timeout for 300 seconds which stands for 5 minutes.


Now moving on to the next service which is the MAC caching service where "CP-Self-Reg" is the name of the SSID.

Please find the screenshot of the enforcement policy below

You need to make sure that you update the Endpoint as Known and also update the username along with MAC-Auth Expiry  on a successful auth which is typical of any Guest Mac caching setup.






1st Case : User not sponsoring himself within the initial 5 minutes of access



Output of 1st MAC Auth 


Output of user Auth


Output of 2nd MAC Auth after 5 minutes


2nd Case : User Sponsoring himself within the 5 minutes of initial access


Output of 1st MAC Auth 


Output of User Auth

Authorization attributes of 2nd MAC Auth

Output of 2nd MAC Auth

From the below outputs we have verified that the user gets disconnected in 5 minutes if they do not sponsor them self. If they do sponsor them self we saw that the client continued to stay on the network in the same role.


Version history
Revision #:
2 of 2
Last update:
‎01-03-2018 03:33 AM
Updated by:
Labels (1)


There are multiple documents published on how to do this -- this is the only one that works!

What are the compulsory components to achieve sponsored guest feature?

Can I achieve it with IAP and clearpass only? without controller?


Thank you so much for creating this article, I am setting up a new project for a customer now and this is exactly what I need, but I have a couple questions.


This first is about access to email for non-LTE devices. If the user needs access to email to sponsor himself, but is not on a device with a data connection, how does he get to his email?  Upon the initial MAC auth when we put them into the captive portal role, they only have access to ClearPass, DHCP, and DNS.  Are you adding access to IMAP and POP3 to the captive portal pre-auth role?  


The second question is about assigning the Guest Role ID 3, and maybe this will sort itself out as I get it built out and tested.  I am missing the connection between the Sponsor Confirmation page where the Role Override is set to Employee, and then where the Endpoint gets updated with the Role ID 3.  Do you have a role-mapping policy that ties those two pieces together?


Thank you!

@lvbeachlife 1. With the enforcements, the users will get 5 minutes to open the mailbox and confirm the email address. 2. He created the Enforcement Profile that update the Guest Role ID to 3 if the Current Role is Employee.
I have one question, where is the guest account validation? If the account is expire or disabled, what will happen?

Hey Guys,


How is the following case handled ?


1. User A registers with email address "" & gets 5 mins of internet access.


Post confirmation of the account, role id changes to 3 & caching kicks in for subsequent requests when the user reconnects.


2. Now, User B registers with the same email address "" & gets 5 mins of internet access.


But User B never confirms the account by validating the email address.


Does this change the role id back to 2 as the same account is used for registration by both users ?

if it does, then user A will be presented with CP registration page again even though it confirmed the account (step 1).


Is there a way to avoid this from occuring ?


Search Airheads
Showing results for 
Search instead for 
Did you mean: