Requirement:
This article is about creating enforcement profile to update expire time of the Guest users based on the enforcement policy.
Solution:We can use the Endpoint Context Server action to create an API call to trigger an Expire Time update. Note: The context server action should be triggered through an enforcement profile.
Note: This article is mainly focused on updating expire time using API. Please visit the link below for ClearPass Guest integration or search our community for guest implementation queries.
https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx
Configuration:Create API Client ID:
1. Navigate to Guest >> Administration >> API Services >> API Clients >> Create API client
2. Copy "Client ID" and "Client secret" to use it in the endpoint context server configuration.
Endpoint Context Server Configuration:
1. Navigate to ClearPass Policy Manager >> Administration >> External Servers >> Endpoint Context Servers and select "localhost".
Note: If the Endpoint Context Server "localhost" is already in use, then it is recommended to create a new context server and follow the below sample configuration.
2. Select Authentication Method as "OAuth2", enter client id and secret.
3. Use "Validate" option to check if the connection is working.
Creating Context Server Actions:
1. Navigate to ClearPass Policy Manager >> Administration >> Dictionaries >> Context Server Actions >> Add
2. Enter the below details under Action:
Server Type: Generic HTTP,
Server Name: localhost,
Action Name: <Enter the name>,
HTTP Method: PATCH,
Authentication Method: OAuth2
URL: /api/guest/username/%{Authentication:Username}?change_of_authorization=undefined
3. Enter the below Header Names.
4. Enter the below JSON attributes in the Content field:
Content-Type: JSON
Content:
{
"expire_time": "%{Authorization:[Time Source]:Now Plus 7days}"
}
Note: In the example, selected seven days as expire time, you can modify based on your requirement. You can define the value in Configuration > Authentication > Sources > [Time Source]. The output should be in EPOCH value.
In the below screenshot, those marked Alias returns the epoch value. We can create a copy of those filters based on the requirement.
Service Configuration:
1. In the Service, select "[TIME SOURCE]" as Authorization source.
2. To create enforcement profile, navigate to Configuration >> Enforcement >> Profile >> Add >> HTTP Based Enforcement
3. Select Endpoint Context server and Context server action.
4. Update the enforcement profile in the enforcement policy.
Note: The above rule is for example, we can use the enforcement profile in the existing configuration to update the expire time dynamically from authentication.
Verification
- In the Guest GUI, the below account is going to expire in less than 24 hours.
- In the Guest user authentication, user got the HTTP enforcement profile to update expire time for 7 day
- After user authentication the guest account got updated with 7 days.
- We can also confirm the same from Guest Application logs (Guest GUI > Administration > Support > Application Log):
Note: the expire time will be stored in epoch time. We need to send it in epoch value from HTTP enforcement profile.
Attachment:
Enforcement profile attached. We can restore this in Configuration >> Enforcement >> Profiles >> Import.
It will restore the below configuration:
- Enforcement Profile: Update Guest HTTP
- Endpoint Context Servers: localhost
- Context Server Actions: Guest_Expiry_Update_PATCH
Note: Update Endpoint context server with correct oauth2 credentials.
Attachments:EnforcementProfile.xml