Security

Is it possible to update a clearpass guest device registration, expire date, from policy manager.

 

Right Now I have the expiration set to 1 year after registration when they register.  What I would like to do is update the date every time they connect so it is 6 months after last connection.  This way as long as they are using the device it never expires.  But if they leave, it gets removed after 6 months.

 

I have not found a way to update the update that field in a post authentication profile.  I assume I am not the only one who wants to do this?

I don't think this is possible directly with a post_auth update, however you could probably leverage the guest API to do the update. 

I haven't played with the guest api, is there doc that you can point me at that explains how to use it?

How would you trigger it? can you trigger a "script" or api call in post authentication?

Maybe another way at this is to update the endpoint upon each connect and every 6 months run a script to pull the
endpoint last connect dates and update the guest devices expiration via the guest api? I guess that depends on if the
cpmm has an api to access the endpoints.

I don't have a doc but I will test it for you later today. 

You essentially create an external context server with actions tied to it. The action in this case would be to update the expiration time. 

There is actually a post_auth update that will accomplish this without using the API. Configure an enforcement profile like below and add it to the appropriate rules in MAC-auth enforcement policy.

 

 

 

Note that the value is in minutes.

 

Yes, but isn't that the guest user (Ie Account)? I want the guest device.

A device is a guest user account of type DEVICE.

Tim,

 

  that seems to work perfectly.   Thanks for all the help.