Security

Hello all.

Does anybody know if it is possible in Clearpass to automatically update the MAC Cache expiry time each time a "cached" device re-connects? I can't see an option for it.

For instance...

On a particular (working) service, we have a 1 year subscription for users. This links to a 96 hour mac cache currently. The challenge is that if a user used a "cached" device in hour 95, they still need to login properly again in hour 97. At least, that's how this is operating right now. Assume this is functioning as designed by default?

Ideally, the original expiry of the 96 hours would reset to +96hours from "now" each time the device re-connected. This is on the basis that...

1. We don't want 1 yearly "cached" devices, as that's dirty.

2. If the expiry of the device did refresh in that manner, we are saying "as long as you use it regularly, no need to login again" = good.

Granted, we could set that mac cache to 1 year in this case. Just wondering if this more slick function is even available?

Are you just using the MAC Cache option in the role?    If you haven't already, have a look at the Tech Note titled Auto Create MAC Auth Account (http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=8280).   In this scenario, it doesn't use the MAC Cache option within the role, but rather has a condition assigned by which it creates the MAC account on every successful authentication.   In the expression, there is a line for auto_update_account.   You could alter the expressions to suit your needs for both a "user" logon  and a "MAC" logon.    It may require some customizations to work for you, but this may give you the flexiblity you are looking for rather than the static "MAC Cache" check box.

Thanks for the tip! Unfortuantely, it didn't work. I'm guessing my syntax might be to blame? This Clearpass is version 3.9.7.

Basically, I was using the basic MAC Cache option in the role yes.

I tried turning off the mac cache feature (in the role), and leveraging the following expression as a standard RADIUS attribute Tmp-String-0.

The goal of the expression is to link to a role ID of 7, limit the maximum client devices to 1, and increase the cached device lifecycle by 1 hour.

If anybody can see what's wrong with it, I'd be glad to know? Thanks...

return
(
($MAX_MAC_ACCOUNTS = 1)
&& (NwaRadiusLocalServer()->GetUserCount(array(
'sponsor_name' => strtolower(GetAttr('User-Name')),
'delete_time' => 0,
'mac_auth' => 1)
) >= $MAX_MAC_ACCOUNTS)
? (AccessReject() && 0) : 1
)
&& empty($user['mac_auth'])
&& NwaDynamicLoad('NwaCreateUser')
&& NwaDynamicLoad('NwaNormalizeMacAddress')
&& ($mac=NwaNormalizeMacAddress(GetAttr('Calling-Station-Id')))
&& ((!empty($user['id'])
&& NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>7,
'visitor_name'=>$user['username'],
'mac_auth_pair'=>$user['id'],
'modify_expire_time'=>'1h',
'auto_update_account'=>1)))
|| (empty($user['id']) && NwaCreateUser(array(
'creator_accept_terms'=>1,
'mac'=>$mac,
'mac_auth'=>1,
'role_id'=>7,
'visitor_name'=>$user['username'],
'sponsor_name'=>strtolower(GetAttr('User-Name')),
'modify_expire_time'=>'1h',
'do_expire'=>4,
'auto_update_account'=>1)))
)
&& 0;

In your new modified setup using the expression; what behavior are you seeing?  If you logon with a new user; is a MAC account created for the user logon?  If so, what expiration time is assigned?     If you logon with a user that already has a MAC cached, what are  you seeing?

Also, keep in mind, you'll likely have to setup two of these expression/role relationships:

1) for initial user logons; first time or when expired

2) for MAC logons; for those that are already cached

A fair question!

With those rules/expressions in place, existing mac-cache entries didn't get their lifespans incremented following a successful mac-auth, and ones that didn't exist don't get created at all.

If I turn the mac-cache feature back on, the accounts are created, but not incremented (as you'd expect).

If nobody has any thoughts on this, I might open a TAC case I guess?