Occasional Contributor II

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Well, i'm back again with the same issue...i don't know if i'm missing something, or the whole thing is so unstable, but i'm back with the same behaviour: can't get mac caching service triggered most of the time...only if i don't apply ALL the timeout profiles, including MAC caching session timeout, it behaves near expected, but the controller says it's a web auth session going on, even  after rebooting the client ...


Does anybody has a detailed document that could be shared to check against my own config??? now i'm doubtful about everything, including controller configuration, clearpass guest selfregistration forms, fields and so on...even how clearpass is managing date and epoch, with timezone different from the reference, is suspicious now to me...

i'm missing something for sure...


Thank you very much in advance,


Occasional Contributor II

Re: [HowTo] Auto-Sponsor with Clearpass Guest


I have a problem with SMTP

Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

For the SMTP. I assume you are getting the starttls error. I just answered that on a different thread.


I do have a different issue. All this works great, however if the client resets his connection before the user is confirmed, mac-auth is done and the session-timeout is changed to default. I can set it there to 360 seconds as well, but when a user is confirmed, 360 seconds is not required anymore.

I tried setting an unvalidated role for the user during registration and changing the role when sponsored. However the endpoint keeps the original role id.


Also in the additional settings file the ${GuestUser:do-expire} is used during hte mac-auth. But clearpass does not seem to be able to translate this to the value of do-expire. It just literally set the string ${GuestUser:do-expire} in the endpoint.


I've added screenshots in the file below.


Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

I found a workaround. 


I've edited the Guest User Repository source to include the RemainingExpiration attribute of the user. It is already in the authentication query but not in the authorization query. I name the alias RemainingExpirationAuth.


I then added a few rule in the policy enforcement policy for the MAC auth.

  1. Default mac auth enforcement. 
    Check the insight repository for hours-since-auth, check if the endpoint contains the valid user role, check if the guest account is enabled and not expired. 
    This resulted in a radius allow access enforcement profile that set the reauth timer to 86400.
  2. Check if the endpoint role is unvalidated and if the RemainingExpirationAuth is larger then 300 seconds. 300 seconds are the 5 minutes that were set for the free wifi access.
    This results in the endpoint user role id being updated and a radius allow access enforcement profile that sets the reauth timer to 86400.
  3. Check if the endpoint role is unvalidated. Since I use first applicable the RemainingExpirationAuth will be less then or equal to 300 seconds.
    This results in a radius allow access profile that sets the reauth timer to 360 seconds. 
  4. Check if the endpoint role is set to the validated role but the account is disabled or expired. This results in a radius deny profile and a Set Endpoint Unknown.

Now the user can be disconnected during his 5 minutes of free wifi and reconnect using Mac while remaining on a short reauth timer. And when the user validates his email he will recieve a normal reauth timer in the same service.


There can be some improvements but for me this is working right now.

  1. You can edit the guest user repository authorization query to return the guest role id and use that attribute to set the final role instead of checking the RemainingExpiration field. I would make the service more generic if you have multiple SSIDs.
  2. You can also use the RemainingExpiration field as a value for the short reauth timer. Although you should increase it by 60 seconds as a buffer. This would make it a more generic enforcement profile.

I've added screenshots of my current configuration.


New Contributor

Re: [HowTo] Auto-Sponsor with Clearpass Guest

just joining this forum and came across this old post 


I have the self sponser to email working such that the user registers an account using a valid email and then receives an email from clearpass to confirm that account.  This post addresses the issue that I am trying to resolve in that the user can'r receive the email on the device he is connecting with because there is no access until the confirmation is done.

I am using two service policies created from the template to get me to this point.  mac authentication and mac authentication with caching

The first gets service policy gets the registration done but the second policy does not get ran until after the email is confirmed.  The secoond policy is what updates the endpont to known.

This thread appears to call for two additional policies but I can't figure out how to layer them in to get the endpoint known for the 5 minute period to allow for network access to recieve the email and finish the confirmation that runs gets the mac caching service ran.


Hopefully someone can clear this up for me please

Occasional Contributor I

Re: [HowTo] Auto-Sponsor with Clearpass Guest

you need to make sure that the account is active as part of the registeration. 


MVP Expert

Re: [HowTo] Auto-Sponsor with Clearpass Guest

Hi Samuel,


I am encountering an issue & would appreciate your inputs to see if this can be addressed.


MAC caching interval for the guest user is being calculated based of remaining expiration time in the guest repository.

(Authorization attribute has been added to guest user repository in order to compare current time vs remaining expiration) )


a). Self sponsorship confirmation is working perfectly while I am using the guest account on a single device.


b). If i register using the same email address on the 2nd device, it is over riding the expiration timer of the guest account.


Eg: 1. Device A registers with email "" at 10AM which creates an account using the email address provided in the guest repository with expiration set to 10.05 AM.


User is provided 5 mins of free internet access & then he confirms the email to extend the expiration of the account to 6:05 PM.


So, if the device disconnects & reconnects multiple times until 6.05 PM, it would get direct internet access (mac caching kicks in).


2. Device B registers with the same email "" at 11AM which overrides the previously created account (step 1) & changes the expiration time from 6.05PM to 11.05 AM.


If Device B does not confirm the account (clicking on the email sent as part of registration), then the account will expire at 11.05 AM.


Device A is presented with captive portal again if it gets disconnected & tries to connect back to the network.


Is there a way to ensure that Device A is not affected when the same email account is used on Device B?

Search Airheads
Showing results for 
Search instead for 
Did you mean: