I recently worked with TAC to solve this very problem. It is not possible to do this with a simple post-auth enforcement profile utilizing the Expire-Time-Update attribute as I had originally thought, Clearpass will only let you reduce the expire_time with this attribute, not extend it. However, you can effectively extend the expire_time by performing a SQL query or an internal API call. We chose the API call route as its a bit more straightforward, you will need to set up an HTTP Context Server Action Dictionary and then reference that in an Enforcement Profile. You will also need to add a Time Source filter that matches the time you want to extend by (Now Plus 30days) and add the Time Source as an authorization source in your service. In my case I extended expiration by 1 year, here's how i did it:
1) Create a Time Source filter for the time period you want to extend by
Configuration -> Authentication -> Sources -> [Time Source] -> Attributes Tab -> Add More Filters
Filter Query: SELECT (EXTRACT (EPOCH FROM NOW() + interval '1 years'))::int AS now_plus_1year;
now_plus_1year Now Plus 1year Integer
2) Create a context server dictionary entry to perform the API action:
Administration -> Dictionaries -> Context Server Actions -> Add Generic HTTP Context Server
Action Tab
Server Name: localhost
HTTP Method: PATCH
URL: /api/guest/username/%{Authentication:Username}
Header Tab
accept = */*
content-type = application/json
Content Tab
Content-Type: JSON
Content:
{
"expire_time": "%{Authorization:[Time Source]:Now Plus 1year}"
}
Attributes Tab
AuthTime = %{Date:Date-Time}
3) Create an enforcement profile that references this dictionary entry to perform the action.
Configuration -> Enforcement -> Profiles -> Add HTTP Based Enforcement
Attributes Tab
Target Server = localhost
Action = Extend Expiration
4) Add enforcement profile to your enforcement policy
Open your enforcement policy and add the enforcement profile created in step 3. This will perform the API action and extend the expire_time attribute on the guest user account.
Original Message:
Sent: Feb 12, 2016 12:37 PM
From: David Johnson
Subject: ClearPass Guest Extend Expire Time
Hello,
My organization wants to extend the expire time for guest accounts by 30 days on each successful login. This would result in a guest account remaining valid indefinitely as long as it was used within 30 days of last login and would expire if not used in 30 days.
I have found some examples of similar requests, but most do not have a full solution, and one suggests writing directly the database tables, which I am not excited about.
http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-rolling-expiry-timers/td-p/137181
I was hopeful I could accomplish this with an enforcement profile. There is a 'ClearPass Entity Update Enforcement' of:
Type: Expire-Time-Update
Name: GuestUser
Is my goal the intent of this attribute? If so, can someone assist me with the proper value syntax?
I have also attempted by creating a dictionary attribute in CPPM for the expire_time field from entity GuestUser and manipulating it via an enforcement profile with no good results.
If anyone knows another/better approach to this solution, please direct me.
Thank you in advance.