Security

I'm testing the base default templated services for Guest Authentication w/ MAC caching.  It seems to work correctly up until the point where I'd like to test expiration.  

I have directly edited the MAC-Augh Expiry Attribute under Edit Endpoint for the computer in question.  The time I set for expiration is 2018-03-16 12:20:00 (today, 20 minutes ago).

In the Access Tracker event which comes up as MAC based auth, Input Authorization, Attributes I see:

Authorization:[Time Source]:Now DT 2018-03-16 16:00:00 

Under Computer Attributes I have:

Date:Date-Time 2018-03-16 12:31:40
Endpoint:MAC-Auth Expiry 2018-03-16 12:20:00

NTP is configured, and show date on the CLI shows the correct date and time.  [Time Source] and [Endpoints Repository] are included along with [Guest User Repository] in the Authorization Source.  

Any ideas?

I found the solution here:

https://community.arubanetworks.com/t5/Security/Expired-Guest-Account-can-still-connect-CPPM-6-6-Cisco-WLC/td-p/274733

By default, the MAC Auth enforcement policy will send an Radius response with a user role to an Aruba controller which will cause the controller to redirect to the captive portal.  The Cisco controller won't do anything with this, so the fact that the policy also allows access meant that expired clients can get on.

Editing the enforcement profile on the MAC Auth service to explicitly deny when missing the [MAC Caching] role fixes the problem.

In my opinion the template should absolutely prompt for the wifi vendor rather than just assuming Aruba in the same way that the general Guest Authentication templates do.  I'm still on 6.6 though, so maybe this is fixed in later versions.