Security

This community is currently in a read-only state due to a maintenance window. For more info click here
Reply
Highlighted
Contributor I

Guest accounts is expired, not deleted

Hi. 

We want to be able to create accounts for guests that expire at midnight and get's deleted. We don't want users to use the manage account tab at all because that isn't working for our users. Believe me, we have tried...

 

This works:

Sponsors are able to create guest accounts, an email is sent out with account details to both the sponsor and the guest, the guest can connect to an open wireless network, get redirected to a portal and login. The account itself expire at 23:59 (11:59pm) each night. 

 

This doesn't work:

Since the account is only expired and not deleted, the same guest can't get an account created since "the user is already registered". I have set the global Cluster-Wide Parameter for Expired guest accounts cleanup interval to 1 so the account will be deleted, but it's 1 day to late so the account is disabled for 24 hours. 

 

Cluster-Wide ParametersCluster-Wide Parameters When a user creates an account, the custom fields "modify_expire_time" is set to "today 23:59" and this value work since the account expire at midnight. 

Custom field "modify_expire_time"Custom field "modify_expire_time" The field "do_expire" is also set and the value 4 is chosen and this is where I think we have some error. I can see that a created account is getting this value assigned, but the account doesn't get deleted. 

Custom field "do_expire"Custom field "do_expire"

Can someone please give us some information in what can be wrong in our setup?


Accepted Solutions
Highlighted
Contributor I

Re: Guest accounts is expired, not deleted

Hi everyone. 

I just want to say that the issue is solved after contacting Aruba TAC. I needed to edit the "do_expire" BASE field, not the custom field that is actually used in the sponsor portal for some reason. After this edit with an added "4", everything works. 

View solution in original post


All Replies
Highlighted
Super Contributor II

Re: Guest accounts is expired, not deleted

Have you tried setting the expire action to delete? See attached screenshot.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Contributor II

Re: Guest accounts is expired, not deleted

Hi Dustin/yurezplace,

 

The Expire action option in Guest manager is default when you are not setting up/enabling the Do_expire Field in the page.

 

the Custom (page configuration) always overcomes with default configurations.

 

but if you are setting up the do expire value you need to make sure of few things.

 

The do expire values should appear in Post authentication enforcement in access tracker RADIUS response/output.

 

You can enabled the auto_update_account option in the form of this page to allow the users to create(update) even if it exists previously. (If you need and want to)

 

Expired Guest account Cleanup interval definitely works for last 24 hours, so it means if you are deleting the account today before 12.01 then it will take remaining hours for cleanup interval +1 day(24 hour) to delete the account under Cleanup interval.

 

Make sure you are applying the Post authentication enforcement with do_expire value exist in output.

 

 

Vikram Sonawane | ACCP | @Vikram_Sonawane


NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor I

Re: Guest accounts is expired, not deleted

When I configured this as a service, I created this using Clearpass built-in guide. 

The following configuration was added in the service called "User Authentication with MAC Caching":

Service Template Automatic ConfigurationService Template Automatic ConfigurationIf I then click on rule "54" in the picture above I can see that an automatic value for Expiry-Check is in place. 

do_expire ruledo_expire ruleThis unfortunaly doesn't work so I tried to specify the value to this but the account doesn't get deleted...

do_expire_custom.png

Any help is appreciated!

 

Highlighted
Contributor II

Re: Guest accounts is expired, not deleted

Hi ,

 

Could you please share the RADIUS response from Output tab on radius access tracker request?

 

 

Vikram Sonawane | ACCP | @Vikram_Sonawane


NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor I

Re: Guest accounts is expired, not deleted

Here is the output:

logged_in_guest_output.png

 

If an account is created and a user never login to the network, should the Policy Manager still send an deauth request to itself (Guest part) of Clearpass or how should this work?

Highlighted
Contributor II

Re: Guest accounts is expired, not deleted

Hi,

 

once we do apply the do_expire as 4 to the user account , after we apply that enforcement to the user login , post authentication module in ClearPass monitor the session check and then apply upon hitting the condition.

 

i think in your case you have set the condition of 0 MB bandwidth usage /Today which will be always False hence post authentication module is not taking the action and deleting the guest user account.

 

 

Vikram Sonawane | ACCP | @Vikram_Sonawane


NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor I

Re: Guest accounts is expired, not deleted

I have now changed the policy so no bandwith limit is enforced in the post_authentication. 

output.png

 

This is a login request using a new account I created. 

I will see tomorrow if this take effect. 

Highlighted
Contributor II

Re: Guest accounts is expired, not deleted

Hi 

 

I don't think so these change will give you the results.

 

Please make sure the page with which you are creating the guest account do have the do_expire field enabled in the form with initial value configured as 4.

do_expire.JPG

 

and when you create an account through the same page it should be visible under managed accounts.

 

manage_accounts.JPG

 

 

Vikram Sonawane | ACCP | @Vikram_Sonawane


NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Contributor I

Re: Guest accounts is expired, not deleted

The account is getting a 4 as an output, but the output I showed before is from Clearpass Policy Manager Access tracker, not the guest tracker. 

This is a print screen from the guest tracker and I have had a 4 for a long time and the setting doesn't apply. 

guest_summary.png

 When I check the custom page for when I create an account, the field is hidden to the user and still applied. 

custom_4.png

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: