Occasional Contributor II

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Well, i'm back again with the same issue...i don't know if i'm missing something, or the whole thing is so unstable, but i'm back with the same behaviour: can't get mac caching service triggered most of the time...only if i don't apply ALL the timeout profiles, including MAC caching session timeout, it behaves near expected, but the controller says it's a web auth session going on, even  after rebooting the client ...


Does anybody has a detailed document that could be shared to check against my own config??? now i'm doubtful about everything, including controller configuration, clearpass guest selfregistration forms, fields and so on...even how clearpass is managing date and epoch, with timezone different from the reference, is suspicious now to me...

i'm missing something for sure...


Thank you very much in advance,


Occasional Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest


I have a problem with SMTP

Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

For the SMTP. I assume you are getting the starttls error. I just answered that on a different thread.


I do have a different issue. All this works great, however if the client resets his connection before the user is confirmed, mac-auth is done and the session-timeout is changed to default. I can set it there to 360 seconds as well, but when a user is confirmed, 360 seconds is not required anymore.

I tried setting an unvalidated role for the user during registration and changing the role when sponsored. However the endpoint keeps the original role id.


Also in the additional settings file the ${GuestUser:do-expire} is used during hte mac-auth. But clearpass does not seem to be able to translate this to the value of do-expire. It just literally set the string ${GuestUser:do-expire} in the endpoint.


I've added screenshots in the file below.


Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

I found a workaround. 


I've edited the Guest User Repository source to include the RemainingExpiration attribute of the user. It is already in the authentication query but not in the authorization query. I name the alias RemainingExpirationAuth.


I then added a few rule in the policy enforcement policy for the MAC auth.

  1. Default mac auth enforcement. 
    Check the insight repository for hours-since-auth, check if the endpoint contains the valid user role, check if the guest account is enabled and not expired. 
    This resulted in a radius allow access enforcement profile that set the reauth timer to 86400.
  2. Check if the endpoint role is unvalidated and if the RemainingExpirationAuth is larger then 300 seconds. 300 seconds are the 5 minutes that were set for the free wifi access.
    This results in the endpoint user role id being updated and a radius allow access enforcement profile that sets the reauth timer to 86400.
  3. Check if the endpoint role is unvalidated. Since I use first applicable the RemainingExpirationAuth will be less then or equal to 300 seconds.
    This results in a radius allow access profile that sets the reauth timer to 360 seconds. 
  4. Check if the endpoint role is set to the validated role but the account is disabled or expired. This results in a radius deny profile and a Set Endpoint Unknown.

Now the user can be disconnected during his 5 minutes of free wifi and reconnect using Mac while remaining on a short reauth timer. And when the user validates his email he will recieve a normal reauth timer in the same service.


There can be some improvements but for me this is working right now.

  1. You can edit the guest user repository authorization query to return the guest role id and use that attribute to set the final role instead of checking the RemainingExpiration field. I would make the service more generic if you have multiple SSIDs.
  2. You can also use the RemainingExpiration field as a value for the short reauth timer. Although you should increase it by 60 seconds as a buffer. This would make it a more generic enforcement profile.

I've added screenshots of my current configuration.


New Contributor

Re: [HowTo] Auto-Sponsor with Clearpass Guest

just joining this forum and came across this old post 


I have the self sponser to email working such that the user registers an account using a valid email and then receives an email from clearpass to confirm that account.  This post addresses the issue that I am trying to resolve in that the user can'r receive the email on the device he is connecting with because there is no access until the confirmation is done.

I am using two service policies created from the template to get me to this point.  mac authentication and mac authentication with caching

The first gets service policy gets the registration done but the second policy does not get ran until after the email is confirmed.  The secoond policy is what updates the endpont to known.

This thread appears to call for two additional policies but I can't figure out how to layer them in to get the endpoint known for the 5 minute period to allow for network access to recieve the email and finish the confirmation that runs gets the mac caching service ran.


Hopefully someone can clear this up for me please

New Contributor

Re: [HowTo] Auto-Sponsor with Clearpass Guest

you need to make sure that the account is active as part of the registeration. 


Search Airheads
Showing results for 
Search instead for 
Did you mean: