Security

Reply
Regular Contributor I

Clearpass Guest - Authorization Attributes

When using the Guest User Repository as an Authorization Source, I am able to see 'AccountEnabled' and the 'AccountExpired' attributes returned during MAC Auth. Is it possible to return other attributes? 

 

I am looking for a way for a customer to be able to extend a Guest Expiration time through the Guest / Manage Accounts interface. Although it can be modified it doesnt help. As we know, the MAC Auth service looks at the Endpoint repository for the MAC-Auth Expiry attribute and not the Guest User Repository (with the newly modified expiry). I was hoping I can just look at the Expire attribute directly in the Guest User Repository instead however I cant seem to reference this field in the MAC Auth policy. 

 

Any ideas?


AMFX #69
Aruba Partner Ambassador
Guru Elite

Re: Clearpass Guest - Authorization Attributes

Both expire_time and remaining_expiration are available by default.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Regular Contributor I

Re: Clearpass Guest - Authorization Attributes

I am not seeing it. Check the attached details. Maybe I am overlooking it?


AMFX #69
Aruba Partner Ambassador
Highlighted
Guru Elite

Re: Clearpass Guest - Authorization Attributes

You'll need to edit the [Guest User Repository] auth source.

 

Under attributes, click Authorization.

 

Replace the entire query with:

 

SELECT
       CASE WHEN expire_time is null or expire_time > now() THEN 'false'
       ELSE 'true'
       END AS is_expired,
       CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled,
       CASE WHEN expire_time > now() THEN CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER)
            ELSE 0
       END AS user_remaining_expiration
FROM tips_guest_users
WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard'))

In the editor, add a new attribute: user_remaining_expiration // User Remaining Expiration // Integer

Screen Shot 2019-03-28 at 5.13.58 PM.pngUse that new attribute in your policy. Remember, the attribute won't be pulled (and thus wont' be visible in AT) unless you evalute it either in role mapping or enforcement.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Regular Contributor I

Re: Clearpass Guest - Authorization Attributes

That works perfectly. Thanks Tim! 


AMFX #69
Aruba Partner Ambassador
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: