Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass monthly access

This thread has been viewed 0 times

  • 1.  Clearpass monthly access

    Posted Jan 03, 2018 08:48 AM

    Is there a way to allow guests access only for the current month?

    i.e. if they signup on the first day of the month they access for the whole month, but if they signup on the last day of the month they only get 1 days access.

    If this is possible could you give me some help as to what the details for this are.

    Thanks.



  • 2.  RE: Clearpass monthly access

    EMPLOYEE
    Posted Jan 07, 2018 08:55 PM

    Hi MDRF,

     

    This seems like an odd use case.  Are you able to elaborate on this further and i mayh be able to asssit you?



  • 3.  RE: Clearpass monthly access

    Posted Jan 08, 2018 02:45 AM

    Pretty simple requirement as far as the customer is concerned, they want people to create a new account each calendar month, so accounts can only be active during the current month.



  • 4.  RE: Clearpass monthly access

    EMPLOYEE
    Posted Jan 08, 2018 07:18 AM

    This is somewhat complicated but I have managed to configure this.

    In your self reg page, edit the expire_after field and make it hidden and uncheck 'field required'.

    Snip20180108_26.png

    Add [Time Source] as an authorization source into your service.  We need to create a custom query for this as such.

    Snip20180108_28.png

    SELECT
    DATE_PART('day', (date_trunc('month', localtimestamp(0)+ interval '1 month') - (localtimestamp(0)::timestamp)::timestamp)) * 24 * 60 +
    DATE_PART('hour', (date_trunc('month', localtimestamp(0)+ interval '1 month') - (localtimestamp(0)::timestamp)::timestamp)) * 60 +
    DATE_PART('min', (date_trunc('month', localtimestamp(0)+ interval '1 month') - (localtimestamp(0)::timestamp)::timestamp)) AS mins_month

     

    Then in the enforcement profile for Expire Post Login, change the value in there to be the value of that query.

    Snip20180108_29.png

    When the user first logs in, that value will get updated for that account.

    There may be a +- 1min either side of midnight due to rounding, but that shouldn't be an issue.



  • 5.  RE: Clearpass monthly access

    Posted Jan 08, 2018 08:38 AM

    Hi Michael,

        Do I need to create the custom query as a "filter" under the "attribute" tab of the [Time Source]?

    I've tried it this way but the item did not appear in the drop-down in the enforcement profile.



  • 6.  RE: Clearpass monthly access

    EMPLOYEE
    Posted Jan 08, 2018 09:52 AM

    That's it.  On the Attribute section just click on 'add new filter'.

     

    It won't be in a drop down on the enforcement profile.  You'll need to type the value in.

    Expire-Time-Update:GuestUser = %{Authorization:[Time Source]:Minutes Month}

     

    Please bear in mind my own testing was limited and fairly rudimentary, but it did seem to work.  There may also be other better ways of achieving this.



  • 7.  RE: Clearpass monthly access

    Posted Jan 11, 2018 03:47 AM

    Hi Micahel, yes, a colleague also spotted my mistake. I've set this correctly now but the account was created with 24 hours. When I went back and looked at the expire_after settings it has defaulted back to the "field required" being ticked and won't allow this to remain unticked.