How to redirect onboard users to re-provision their device when certificate expires within few weeks


We might have a requirement where you want to redirect an Onboarded user whose certificate is about to expire in a few weeks time to re-provision their device so that they don't lose connectivity to the network. 

Starting from 6.4 we do have the capability to send expiry notification to users so that they can re-onboard their device. The configuration for that is covered in detail in this article below

However you might have some cases like the ones listed below where you need to do the configuration specified in this article to have them re-provision their device seamlessly without losing network connectivity

  1. Users who have already been onboarded without an email address in their certificate and their username is not in a format that when its appended by the domain, does not form an actual email address. 
  2. Users who ignore the re-provision reminder emails



The solution for this would be to force the user to the onboard page to re-provision their device if they connect within 2 weeks(or some short configurable interval) of their certificate expiry. This can be achieved using this attribute called "Certificate:Not-Valid-After" which would be available in the computed attributes 

We would compare this time with the time now + an interval of time like 2 weeks and if the "Certificate not valid after" attribute is less than that we can take the user to the onboard page for re-provisioning.

Please note that the interval of time can be customized at will based on the requirement.




We would make use of the [Time Source] authentication source to compute the interval we wish. We are taking the interval as 2 weeks for this example.

Navigate to Configuration >> Authentication  >> Sources >> [Time Source] (Click on it)

and then navigate to the Attributes Tab as shown in the screenshot below


Once we navigate to the attributes section click on "Add more filters" as shown in the screenshot below

It will prompt you for a filter name, you can give any name that indicates what its doing 

In the filter query section paste the following

select date_trunc('second', localtimestamp(0) + interval '14 days') as Now_Plus_14_days

configure the name as "Now_Plus_14_days" and alias can be anything like "Now Plus 14 Days DT" the Data type should be "Date-Time" as shown in the screenshot below

Once this is configured we would be able to reference this alias in our conditional rules.

In our Onboard authentication service, add [Time Source] as an authorization source and configure a rule as shown below where we can check whether the client is an onboard client doing EAP-TLS and the client certificate is going to expire within the next 14 days.

The enforcement profile Device Reprovision Redirect can be used to return a role or enforcement that takes the user to the onboard page to reprovision their device.

The URL for re-provisioning would be as below

https://<Device Onboard URL>?reprovision=1





Once the above configuration is done we can see that a device whose certificate is going to expire within the next 14 days would be given the "Device Reprovision Redirect" enforcement profile

Time Now + Interval ' 2 weeks'

Certificate Not Valid After 


Based on the above 2 values we can confirm that the user gets the "Device Reprovision Redirect" enforcement which can be used to take the user to the onboard page for re-provisioning.


This configuration has been tested and found to be working in ClearPass version 6.6, however it should also work on Clearpass versions 6.3 and later.



Version history
Revision #:
2 of 2
Last update:
‎03-01-2017 02:57 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: