How to enforce Onboarding client certificate validity based on guest user’s expiration time

Aruba Employee
Aruba Employee

When we allow guest users to Onboard devices, the client certificate will be valid for the duration based on the fixed value defined in CA ->Certificate issuing-> Validity period. Due to which user can authenticate successfully even though the guest account used to Onboard the device expired. 


Environment : Clearpass configured for device Onboarding using guest acounts to perform TLS authentication.


Create an application based enforcement profile with attribute ClearPassSmiley Frustratedession-Timeout => %{Authorization:[Guest User Repository]:RemainingExpiration}.




Enable Authorization in Onboarding authorization service and select guest user repository as authorization source.


rtaImage (1).jpg


Update the Onboarding authorization service -> Enforcement policy to apply if Authorization source equals Guest user repository assign the enforcement profile created above.


rtaImage (2).jpg


To dynamically set certificate validity period based on Guest user’s remaining expiration, we can update the Onboarding authorization service ->enforcement policy to apply an application based enforcement profile with ClearpassSmiley Frustratedession-Timeout set based on guest user’s remaining expiration time.


After making the configuration changes as stated above, try Onboarding a device using an account from guest user repository. 

From Access tracker -> Onboarding authorization request, we can check the remaining expiration time calculated for the guest user and enforcement profile applied.


rtaImage (3).jpg


From Access tracker -> Onboarding authorization request, we can check the session timeout value applied for the authorization request.


rtaImage (4).jpg


From Onboard->Management and Control->View by Certificate, then filter for the new client certificate created to view the validity period.


rtaImage (5).jpg

Version history
Revision #:
1 of 1
Last update:
‎04-08-2015 07:22 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: