Contributor I

Clearpass Time Restrictions



is it possible to allow guest acces for say, 5 mins before disconnecting the guest and forcing them to login again but for a longer period of time?


I'm guessing this is not possible but I've been asked the question and I couldn't say for definite.


So, guest connects to Guest SSID, access internet, gets disconnected. They then login with the credentials provided by CPPM and then can stay connected for an hour or longer for example.




Re: Clearpass Time Restrictions

Can you gave a use case example here.
Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor I

Re: Clearpass Time Restrictions



a Guest connects to the SSID, registers onto Clearpass and can then access the web.


After 5 mins, the guest is disconnected.


If the guest wants to continue on the internet they would then have to log in using the credentials Clearpass sent via email. 


Once they have logged in they are then able to browse the internet for a longer period of time.


The idea is to give guest 5 mins free before they are forced to log in if that makes sense?



Regular Contributor II

Re: Clearpass Time Restrictions

This sounds possible if you can do some customisation of forms and add some logic to the below theory:


User connects to a captive portal page on the Clearpass which automatically logs on with a username and password. This would be an auto-generated account which is specific to this user. (you would probably need some logic here to auto-generate an account with a timestamp or somthing to make it individual). Also the MAC address of the client is recorded and added to the device database. The 'free 5 mins' account is set to be deleted and disconnect the user after 5 minutes. The MAC account has a 1 hour lifetime. The DHCP lease of the network would also need to be short.


Once the 5 mins expire and the free account is deleted, the user is disconnected and would need to reconnect. MAC auth should then pick up the user which could assign a different captive portal profile which points the user to the login/register page to create an account which is valid for longer.


This sounds ok in my head. You would have to work out whether all this is technically possible.



Search Airheads
Showing results for 
Search instead for 
Did you mean: