Clearpass Guest DB w/ 802.1x and leveraging the password_action* etc..

Hey everyone,


Currently have a customer where we are leveraging the Clearpass Guest DB for 802.1x.

The "employees" are not part of the global infrastructure but are considered partners. Think of Aruba opening up an office where they provide the building, the means of connectivity, enfore their security policies and the "companies" who move in are VARs looking for guidance by Aruba to perform their daily business duties.


Probably lost all of you.


Long story short

Use case:

Users are associating to an 802.1x SSID (EAP-PEAP) and their username and password live on the Clearpass Guest DB (there is no active directory for this project).

The security office is mandating that these users change their passwords every 90 days and these devices are not part of any domain.


Currently, we had proposed to put in an active directory and leverage ADSelfServ Plus but there were some challenges with that option. For example, what happens on the 91st day if the user did not change their password and it has expired, they need to be authenticated to the network in order to get to the self serv portal.


I know Clearpass Guest has this notion of password_action, password_action_recur, password_last_change,

The ask is simple from the client.

Create a user account for them, they log in, i want them to change their password every 90 days. I want an easy mechanism for them to be able to reset their password on the 91st day.





Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: