Security

1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1)  [Deny Access Profile]

>ClearPass is keeping  denying even after user session is expired and deleted ..please advise.... i want to user to be able to connect only with 1 device for 1 hour.and his session is over he can re create a new user with the same e-mail and login with another (2nd device)

Perhaps instead of just expiring the account...you can expire AND DELETE the account.  That way, the user can just re-create it with the same email.

Thanks....BUTIt's already configured like this....

and it's aint working... when the 1 hour is over - i cant login with the same e-mail(user) with a 2nd device...

Did you check the guest account after the hour?  Is it still there?

yep  ...as expired....

but the problem is that there is still endpoint record is still there even after the user account is expired....

Yep...and that's the issue.  The account must also be deleted.  I'm wondering if it's a config issue or a bug.  Perhaps a TAC case?

it's really freaking me out...

i want the guest to be able to login for 1 hour with 1 device.

but when the 1 hour is over...is account is expired...but his enpoint is still written...so if he trying to create a new account with the same user/e-mail with another devices...it's getting reject - even due...he his already finish his first 1 hour with his first device...

FOr the Guest service you're using, can you check the post-auth actions?

I see one here that may work for you...

noop..that not what i looking for.

the problem is with the endpoint record...and not with the expired guest 

(i want the user to be able to log with 2nd device after the first 1 hour as passed and he finished to use is first device)

Have you tried this setting?

I'm facing the same problem with stale endpoints for old devices accumulating and causing users to exceed the unique-device-count.

CPPM Endpoint Expiration

I'll give it a try...

1. (Authorization:[Endpoints Repository]:Unique-Device-Count GREATER_THAN 1)  [Deny Access Profile]

You can't use this in your scenario - since that just counts the number of devices that is in the endpoint database connected with the same username.

Or keep it there, but use a custom "Redirect profile" to Captive Portal, instead of the [Deny access profile].

But ok - try first to remove that - and rely on a post_authentication enf.profile normally called "Guest Session Limit" if you create a MAC-auth service using the Wizard.

That should disconnect the client if he has more than x active sessions. X is the number you've either set in Guest Manager, or manually edited for your self-registration.

 Let me know how that works out :)