[HowTo] Auto-Sponsor with Clearpass Guest



I guess that many of you have deployed guest WLANs where the password is sent over SMS to the user. By doing this we make sure whoever logs into the network has to provide a valid phone number that can be tracked in case there's been an improper use of the network. An interesting alternative could be to verify the email address of the guest using the sponsor approval workflow. The user would have limited access to the network while he validates his email and full access once that's done. 


This is how I've been doing it lately:


Clearpass Guest Configuration

I've created a self-registration where the guest gets 5 minutes of internet access to validate it's email address. This lets the guest receive the email to self-sponsor himself. The config process would be the following:

First of all, modify expire time so that the initial duration is 5 minutes. I've used the "modify_expire_time" field and set it to 5m:


I first click "Insert_After" to add a new field and then add the "modify_expire_time" field with the following configuration:


As you can see, it’s a hidden field with the initial value set to 5m and we’re forcing it to always use its initial value.


Next step would be to send a “self-sponsor” email to the user. In order to do that we configure “sponsor approval” with no sponsor auth, send approval request to the user’s own email, an 8h increment if the account duration and we set the initial state to “enabled”:


This would be the basic config we would need in Clearpass Guest. It admits a lot of small imprivements such as modifying the confirmation email to have a more appropriate text or the page seen by the “self-sponsor”. In order to keep things simple, we’ll leave those out for the moment.


ClearPass Policy Manager Configuration

What we’ll do in CPPM is similar to what we do when configuring MAC Caching with the only difference that after the web authentications a new authentication will be triggered after 5 minutes. In order to do that, we’ll create 2 services, one for the RADIUS authentication from the web login and one for the subsequent MAC authentications.


Let’s focus first on the web authentication service. We need a generic RADIUS auth service where we validate the auth comes from the right SSID and so on. The key part relies in the Enforcement policy, were we’ll have the following:

  • [Update Endpoint Known] to mark the device as known.
  • 5-6 Min Session timeout to expire the user session after 5 minutes have passed. This would be done in the following way:Session-timeout.png
  • Update Guest Endpoint to save the user data in the endpoint


With this configuration, our enforcement profile should look more or less like this:


Now that the web authentication is set, we just need to take care of the MAC authentication service. This will allow us to cache the device for as long as we want the user session to be open. We just need to validate that the guest account tied to the endpoint exists and is not expired. The enforcement policy should look like this:


There are two key aspects here. First of all, we’ll need to add the [Guest User Repository] as an authorization source and second, we need to send the username back to the controller/ap. We don’t want the MAC address to appear as the username, we want the user id from the initial web login (which we’ve saved in the endpoint). This allows us to track the user session even when he’s being cached:


This would be all the required configuration in Clearpass, now we just need to take care of the AP/controller config.


AP Configuration

Since we plan on validating users based on their MAC addresses, we need to add MAC authentication to the guest authentication we usually have in these type of scenarios. This is how my IAP config looks like:


As you can imagine, this is just a sample configuration that will allow you to get started on this, and it leaves room for a lot of minor improvements. Nevertheless, I think this sets some basic foundations for the auto-sponsor login that could be useful to many. Give it a go and tell us what you think about it :)






Samuel Pérez


If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Aruba Employee

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Hi Samuel,


Great post here, but for a newbie the "ClearPass Policy Manager Configuration" part is a bit shady yet. It assumes I already know the details on the services creation.

Could you detail a bit more on how exactly to create the "2 services, one for the RADIUS authentication from the web login and one for the subsequent MAC authentications." you mention and where/how exactly to apply the actions described after.


Thank you,


Guru Elite

Re: [HowTo] Auto-Sponsor with Clearpass Guest

You can use the service template for Guest with MAC caching.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: [HowTo] Auto-Sponsor with Clearpass Guest

That solved it.

Thank you

Occasional Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Has anyone set this up and got it working 100% as expected?


from reading the notes it sais "new authentication will be triggered after 5 minutes" i understand this to mean post the time out the device will re auth, and if the user name is active the device will Auto connect?


this is not the case for me, the time out is just changeing role back to the login role. if you disconnect and re connect to the wifi and the account is active all is ok


Occasional Contributor II

Re: [HowTo] Auto-Sponsor with Clearpass Guest



i know this is a quite old thread, but i've been recently trying to make this scenario work with he same result...once the timeout occurs, it reverts to the default/initial role and auto registration page is showing again...if i make a reboot to the device, it triggers the mac authentication service, but this is not the case without rebooting...

did anyone find the roundabout to this??? any special info to take care about not mentioned in documentation???


thank you very much in advance,



Occasional Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

i engaged with Aruba when i was working on this and found the config needed tweaking.


see attached




Occasional Contributor II

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Thank you Colin,


thank you for sharing this it's working as's a shame that Aruba don't have a better guide to make this kind of scenario alive with less tweaking...


now that everything seems to behave as expected using your workaround, it's time to begin from scratch again..too many days changing too many things lead to a config too messy, and too many parameters will be for sure upside-down...


Thank you very much indeed.



Occasional Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest



the Guide was not orgionley provided by Aruba. the reasion why the tweakes are needed is that the way the controller works has changed in the newer versions.


Occasional Contributor II

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Yes, i know...that's why i'm missing something official from Aruba...

i'm  sure you're right, but i can't avoid feeling some kind of emptiness here...;)

Thank you very much indeed,

Search Airheads
Showing results for 
Search instead for 
Did you mean: