How to display accept terms page for 802.1x users once in a day with ClearPass


We might have a requirement where we want to display the terms page for  users who are authenticating across ClearPass performing 802.1x authentication once in a day. So if a user comes in today and authenticates to the 802.1x network he should see the terms page for the first time today and not see it any more for the same day. When the same user comes back tomorrow  or any time later should he see the terms page.  


This can be achieved by using a server initiated login on ClearPass where the user can be put in a captive portal role on the Aruba Controller after authentication on the 802.1x network. The captive portal page needs to be mapped as the webpage we create on ClearPass with the accept terms page which in its configuration has a server initiated login.


We need to create a new web login page and check this box to display the terms and conditions 


The vendor settings need to be chosen as Aruba Networks with the login-method as Server Initiated 


As the user already enters their username and password we should not ask the user for the username and password again but just make them accept the terms. For doing that we have an option under Login Form called "Authentication"  which needs to configured to "Anonymous". When the authentication is set to Anonymous, even though the user does not enter a username and password we still need to have a username and password to complete authentication, hence we can also check the box "Auto-Generate" so that ClearPass can generate that username password automatically.


The Pre-Auth Check needs to be set to Local

Once this is done we have the webpage ready to display the terms. The controller configuration for the user-role that brings the user to this captive portal page is similar to a typical captive portal configuration and that configuration is beyond the scope of this article.

Once the user accepts the terms page and attempts the login, ClearPass gets a WebAuth request, and we need to create a service on ClearPass of type Web-based Authentication to handle that.


The Web Auth service we are going to create is going to do 2 things for us 

  1. Set an attribute on the Endpoint that marks the Terms-Accept Expiry Time which is used to take the user back to terms after a day
  2. Change the user-role on the controller to a full access role so that he can go out of the terms page

We need to create an attribute of type Endpoint Under Administration>>Dictionaries>>Attributes and click on Add

The Data Type needs to be Date-Time and Is Mandatory 'No' and Allow Multiple 'No'. The Name can be anything in this example it is Terms-Accept-Expiry

We need to update this attribute with the value of Date-Time when the Accept Terms will expire so if a user authenticates today then we need to update it with a Date-Time value of 'today 23:59'.

We need to add a new filter  for computing that value which can be done on the [Time Source]  authentication source

select date_trunc('day' , localtimestamp(0) + interval '1 day') - interval '1 second' as terms_accept_expiry

After clicking on Add Filter on the [Time Source] authentication source we need to configure the filter as below


After doing this we now have a value called "Terms Accept Expiry DT" that can be updated to the endpoint attribute we created called Terms-Accept-Expiry, for doing which we need to create an enforcement profile of type "ClearPass Entity Update Enforcement" like shown below


After creating the above enforcement profile we also need to create an enforcement profile of type "Radius COA" to change the user-role of the user to the role that takes the user to the captive portal page.


We also need to add [Time Source] as an authorization source in the service configuration


The rules in the enforcement policy can be as shown below

We also need to make sure that our 802.1x service references the Terms-Accept-Expiry so that only users who are coming back the next day or later go to the terms page and the same user who comes back the same day goes directly to the post-authentication role.

For that we need to add [Time Source] as an authorization source in the 802.1x service also 


The enforcement policy should look like below 

where Full Access Role and Redirect to Terms page are enforcement profiles that return the respective Aruba User-Role.


Please note that the ClearPass needs to mapped as an RFC-3576 Server in the AAA profile for this configuration to work



Connect a new device to the network and you would see the terms page 

Once you click Accept you should see a WebAuth request in ClearPass for which the Output should be like shown below

The COA is triggered based on the NAS-IP Address from the previous authentication request with the same MAC address.  We should be able to see the COA tab in the Access tracker for the previous authentication request to the WebAuth.

The Status Message in the COA tab would give us a clear indication about how the COA went through. If the COA is successful that means that the user will be put in the post-auth role.

For verifying that the user is not going back to  the terms page when they connect again the same day, we can connect the same device again and we should be able to see that the Endpoint has the 

Terms-Accept-Expiry tagged to it 

Hence the device would fall in the post authentication role.

Version history
Revision #:
2 of 2
Last update:
‎09-07-2016 08:17 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: