Security

Hi. 

We want to be able to create accounts for guests that expire at midnight and get's deleted. We don't want users to use the manage account tab at all because that isn't working for our users. Believe me, we have tried...

This works:

Sponsors are able to create guest accounts, an email is sent out with account details to both the sponsor and the guest, the guest can connect to an open wireless network, get redirected to a portal and login. The account itself expire at 23:59 (11:59pm) each night. 

This doesn't work:

Since the account is only expired and not deleted, the same guest can't get an account created since "the user is already registered". I have set the global Cluster-Wide Parameter for Expired guest accounts cleanup interval to 1 so the account will be deleted, but it's 1 day to late so the account is disabled for 24 hours. 

Cluster-Wide Parameters When a user creates an account, the custom fields "modify_expire_time" is set to "today 23:59" and this value work since the account expire at midnight. 

Custom field "modify_expire_time" The field "do_expire" is also set and the value 4 is chosen and this is where I think we have some error. I can see that a created account is getting this value assigned, but the account doesn't get deleted. 

Custom field "do_expire"

Can someone please give us some information in what can be wrong in our setup?

Have you tried setting the expire action to delete? See attached screenshot.

Hi Dustin/yurezplace,

The Expire action option in Guest manager is default when you are not setting up/enabling the Do_expire Field in the page.

the Custom (page configuration) always overcomes with default configurations.

but if you are setting up the do expire value you need to make sure of few things.

The do expire values should appear in Post authentication enforcement in access tracker RADIUS response/output.

You can enabled the auto_update_account option in the form of this page to allow the users to create(update) even if it exists previously. (If you need and want to)

Expired Guest account Cleanup interval definitely works for last 24 hours, so it means if you are deleting the account today before 12.01 then it will take remaining hours for cleanup interval +1 day(24 hour) to delete the account under Cleanup interval.

Make sure you are applying the Post authentication enforcement with do_expire value exist in output.

When I configured this as a service, I created this using Clearpass built-in guide. 

The following configuration was added in the service called "User Authentication with MAC Caching":

Service Template Automatic ConfigurationIf I then click on rule "54" in the picture above I can see that an automatic value for Expiry-Check is in place. 

do_expire ruleThis unfortunaly doesn't work so I tried to specify the value to this but the account doesn't get deleted...

Any help is appreciated!

Hi ,

Could you please share the RADIUS response from Output tab on radius access tracker request?

Here is the output:

If an account is created and a user never login to the network, should the Policy Manager still send an deauth request to itself (Guest part) of Clearpass or how should this work?

Hi,

once we do apply the do_expire as 4 to the user account , after we apply that enforcement to the user login , post authentication module in ClearPass monitor the session check and then apply upon hitting the condition.

i think in your case you have set the condition of 0 MB bandwidth usage /Today which will be always False hence post authentication module is not taking the action and deleting the guest user account.

I have now changed the policy so no bandwith limit is enforced in the post_authentication. 

This is a login request using a new account I created. 

I will see tomorrow if this take effect. 

Hi 

I don't think so these change will give you the results.

Please make sure the page with which you are creating the guest account do have the do_expire field enabled in the form with initial value configured as 4.

and when you create an account through the same page it should be visible under managed accounts.

The account is getting a 4 as an output, but the output I showed before is from Clearpass Policy Manager Access tracker, not the guest tracker. 

This is a print screen from the guest tracker and I have had a 4 for a long time and the setting doesn't apply. 

 When I check the custom page for when I create an account, the field is hidden to the user and still applied. 

Hi,

Please work with TAC to get a faster resolution.

With your current configuration it should work until and unless there are no issues with Post-authentication module which needs to get checked from backend.

Hi everyone. 

I just want to say that the issue is solved after contacting Aruba TAC. I needed to edit the "do_expire" BASE field, not the custom field that is actually used in the sponsor portal for some reason. After this edit with an added "4", everything works.