Security

configuring ClearPass for a new Self Registration SSID for non 802.1x devices – printers and game boxes and such.     We prefer to not set an expiration.   We do not want a presentation device to not be able to connect for a class because it was registered 120/180/365 days prior.  I know endpoint database entries are cleaned up from the database at set configurable intervals when they are not seen after a certain amount of time.   Is this the case for the registrations as well?   There is a cleanup interval for Expired Guest accounts but I am not sure what happens if there is no expiration.    We do not want to end up with a huge table of registered device that have not been used in a long time. 

Also I see there is a field “expired_notification_status” so if we wanted to set an expiration we could have ClearPass send a notification to the user saying your device registration is going to expire in 1 week or something to that matter.   When the end user gets this notification what are their options?  Can the extend the expiration at that time or do they need to wait until it expires?

Thanks

Chris Hart

Northwestern University

Are you currently using MAC trac?

Some devices can be setup by the administrator with no expiry.  Those would be specific administration devices that would be more permanent.  You might want to have a class of user that is capable of setting up permanent devices besides the systems operators of clearpass (you don't want just any user to be able to do this).

You can also set the endpoint database cleanup to zero, so things are never cleaned up.  When you are ready to do an actual cleanup, you can set the number to whatever you want, and devices older than the number will be removed the next morning.  That is probably the cleanest way to do it.

Others might advise you differently, so I would solicit the advice of a ClearPass expert that is aware of the details of your setup, your system and your IT processes.