Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

BYOD Account Expiry Management

This thread has been viewed 3 times

  • 1.  BYOD Account Expiry Management

    Posted Oct 28, 2015 09:19 AM

    Hi All,

     

    If possible, I'd like to obtain some input around the management of expiring Guest accounts within Clearpass.

     

    We're currently running Aruba OS 6.3.1.16 and Clearpass 6.5.2 providing both Open and Dot1x networks for Guest and Staff BYOD users.

     

    What I'd like to investigate is whether Clearpass is able to utilise Insight to look at the account lifetime and then pick out accounts which are due to expire within a week. If the match is made, upon authentication, an attribute is passed back to the controller to place the user into a role which presents them with an expiry warning web page upon initial browsing. The user can click continue on this page and is then dropped into their authenticated role and can continue browsing the internet.

     

    So I guess the questions I'm looking to answer are;

     

    - Can Clearpass utilise Insight in this way to allow us to pass back an attribute to place the user into this expiry role ?
    - By using a captive portal profile on the expiry role, can a web page be presented to the user that can then provide a link to allow the user to continue working?
    - Could this be tied into an Open Network and a Dot1x network?

     

    Any thoughts on this would be greatly appreciated. If i'm missing something quite obvious that would stop this in it's infancy please do let me know. Just in case I'm going down a bit of a rabbit hole here!



  • 2.  RE: BYOD Account Expiry Management

    Posted Oct 28, 2015 09:38 AM

    If you look at your Access Tracker > Input >Computed Attributes 

     

    And use the  GuestUser: "do_expire" / "expire_postlogin" attribute to make the decisions you are looking to make in your Enforcement Policy to return a different role based on that criteria



  • 3.  RE: BYOD Account Expiry Management

    Posted Oct 28, 2015 09:57 AM

    Hi Victor,

     

    Thank you for your response. Looking at these attributes, I'm unsure whether they could be used to highlight an account which is due to expire in 1 week's time. Is that entirely possible or would this have to be done using another method (if possible at all)?



  • 4.  RE: BYOD Account Expiry Management
    Best Answer

    Posted Oct 28, 2015 10:39 AM

    My bad gave you the wrong info.

     

    But if you use the RemainingExpiration time (Based in Seconds) you can use this information to make the decision to send the a new role:

    Note: Make sure you add the Guest User Repository as an Authorization Source 

    Screen Shot 2015-10-28 at 10.36.47 AM.png

    Screen Shot 2015-10-28 at 10.36.28 AM.png



  • 5.  RE: BYOD Account Expiry Management

    Posted Oct 28, 2015 11:19 AM

     

    Ah that certainly looks like something we can make use of. Thank you!

     

    Do you have any thoughts on using a second landing page to advise the user of the upcoming expiry? My thoughts are the 'expiry' role will have a captive portal profile assigned that directs the user to a page on Clearpass. They would need to accept a message on this page to continue browsing, and by doing that would be placed into an authenticated role.



  • 6.  RE: BYOD Account Expiry Management

    Posted Oct 28, 2015 03:58 PM
    Yes , the role you will return needs to have its own Captive Portal Profile pointing to the new page .

    You can create a Web Login just using an Anonymous account