Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Guest Device Change Expire Time

This thread has been viewed 57 times

  • 1.  ClearPass Guest Device Change Expire Time

    Posted Feb 03, 2017 11:30 AM

    HI All

     

    I am trying to extend a guest account expire time using an enforcement profile. My enforcement policy is "Expire-Time-Update - GuestUser = <Minutes until expiry>", but it will only let me reduce the expiry time e.g. make it sooner and not extend it. Is this by design or am I doing something wrong?

     

    ClearPass is version 6.5.7

     

    Thanks

     

    Dave



  • 2.  RE: ClearPass Guest Device Change Expire Time

    Posted Feb 03, 2017 11:40 AM

    Maybe try ""Expire-Time-Update - GuestUser = now+1d" to extend by 1 day for example.

     

    EIDT: FYI This should be a Post_Authentication Enforcement policy that is called post sucessful Guest MAC auth.

     

     



  • 3.  RE: ClearPass Guest Device Change Expire Time

    EMPLOYEE
    Posted Feb 03, 2017 12:01 PM
    That will not work. You can only use a value in minutes.


  • 4.  RE: ClearPass Guest Device Change Expire Time

    Posted Feb 03, 2017 12:05 PM

    HI Tim

     

    Yep, I am using a value in minutes. I will open a case as you suggest.

     

    Thanks

     

    Dave



  • 5.  RE: ClearPass Guest Device Change Expire Time

    Posted Feb 03, 2017 12:04 PM

    Thanks for the suggestion, I just tried that and it doesn't work.

    If the initial value is set to 24 hours and I set the value in the enforcement profile to 600 for example, it will set the expire time to now plus 10 hours, but only if that is sooner than the original expiry time. It wont let me change the expire time from 24hours to 48 hours.

     

    Thanks

     

    Dave



  • 6.  RE: ClearPass Guest Device Change Expire Time

    EMPLOYEE
    Posted Feb 03, 2017 11:53 AM
    This should definitely work. Please open a TAC case.


  • 7.  RE: ClearPass Guest Device Change Expire Time

    Posted Feb 22, 2017 05:44 AM

    I opened a TAC case for this and the response was that this is a limitation and an enforcement policy will only update the expiry time if it is sooner than the original time, set when the device is registered.

     

    My first thought was to do it using SQL, but the appexternal login doesn't have sufficient privelages to update the tips_guest_users and you can't use appadmin with an authentication source.

     

    I then thought about using the API but the http authentication source wont accept custom headers so you can't include the authorization token, and doing this via an external server would just be too messy.

     

    What I'm actually trying to achieve is a rolling expiry time, so the expiry time is updated to 90 days every time the device is authenticated. Has anyone managed to get this to work, I have found a few posts on the subject but it seems that all of those suggestions no longer work.

     

    Thanks

     

    Dave



  • 8.  RE: ClearPass Guest Device Change Expire Time

    Posted Nov 24, 2020 01:06 PM
    I know this is an old thread, but I had this same problem and was able to solve it with an internal API call, which is actually easier to set up than it sounds.  The issue is that it is not possible to do this with a simple post-auth enforcement profile utilizing the Expire-Time-Update attribute as I had originally thought, Clearpass will only let you reduce the expire_time with this attribute, not extend it.  However you can effectively extend the expire_time by setting up an HTTP Context Server Action Dictionary and referencing it in an Enforcement Profile.  You will also need to add a Time Source filter that matches the time you want to extend by (e.g. Now Plus 30days) and add the Time Source as an authorization source in your service.  In my case I extended expiration by 1 year, here's how i did it:

    1) Create a Time Source filter for the time period you want to extend by
    Configuration -> Authentication -> Sources -> [Time Source] -> Attributes Tab -> Add More Filters
    Filter Query:  SELECT (EXTRACT (EPOCH FROM NOW() + interval '1 years'))::int AS now_plus_1year;
    now_plus_1year  Now Plus 1year  Integer


    2) Create a context server dictionary entry to perform the API action:
    Administration -> Dictionaries -> Context Server Actions -> Add Generic HTTP Context Server
    Action Tab
    Server Name: localhost
    HTTP Method: PATCH
    URL:  /api/guest/username/%{Authentication:Username}
    Header Tab
    accept = */*
    content-type = application/json
    Content Tab
    Content-Type: JSON
    Content:  
    {
      "expire_time": "%{Authorization:[Time Source]:Now Plus 1year}"
    }
    Attributes Tab
    AuthTime = %{Date:Date-Time}


    3) Create an enforcement profile that references this dictionary entry to perform the action.
    Configuration -> Enforcement -> Profiles -> Add HTTP Based Enforcement
    Attributes Tab
    Target Server = localhost
    Action = Extend Expiration



    4) Add enforcement profile to your enforcement policy

    Open your enforcement policy and add the enforcement profile created in step 3.  This will perform the API action and extend the expire_time attribute on the guest user account.



    5)  Ensure that the [Time Source] is added as an Authorization Source on the relevant Service



    This was working for us, every time a user authenticates the enforcement profile is activated and the expire_time for that account is extended for 1 year.  This allows for any accounts not used in 1 year to be automatically deleted, while indefinitely extending active accounts.

    Hope this helps


    Original Message