Security

Hi,

 

Im getting this alert and its obviously not pulling the value to then send it as the session timeout as per the wizards.

Alerts for this Request  

I have confirmed that the Guest User Repository is under authorisation, and confirmed that attribute is in there as an attribute.

 

Authorization:Sources

[Guest User Repository], [Endpoints Repository], [Time Source]

 

Filter Name	Attribute Name	Alias Name	Enabled As
1.	Authentication	sponsor_name	SponsorName	-
	remaining_expiration	RemainingExpiration	-
	expire_time	ExpireTime	-

 

Im guessing i need to do something in Guest to make it store this attribute??

 

2016-07-06 14:33:15,188	[AuthReqThreadPool-16-0x7f17ba1aa700 r=R00000252-01-577ca62b h=42] ERROR ExtDB.DBQuery - ResultSet is empty
2016-07-06 14:33:15,188	[AuthReqThreadPool-16-0x7f17ba1aa700 r=R00000252-01-577ca62b h=42] ERROR ExtDB.DBQuery - Failed to get value for attributes=RemainingExpiration]
2016-07-06 14:33:15,189	[RequestHandler-1-0x7f17395ea700 h=15466 c=R00000252-01-577ca62b] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Authorization:Guest User Repository]:RemainingExpiration}, error=No values for param=Authorization:Guest User Repository]:RemainingExpiration
2016-07-06 14:33:15,189	[RequestHandler-1-0x7f17395ea700 h=15466 c=R00000252-01-577ca62b] ERROR Core.EnfProfileComputer - checkAddAttr: Failed to find finalValue for %{Authorization:Guest User Repository]:RemainingExpiration}
2016-07-06 14:33:15,189	[RequestHandler-1-0x7f17395ea700 h=15466 c=R00000252-01-577ca62b] INFO Core.EnfProfileComputer - getFinalSessionTimeout: sessionTimeout = 0

 

TIA

 

Ledge

 

 

 

 

 

 

 

 

 

Please provide screenshots of the service (specifically the tabs using this attribute) and also confirm whether the guest accounts you are matching are enabled and have a value for this field. You should be able to see this under the Manage Accounts section under ClearPass Guest if you click Show Details.

Hi,

 

 Its created by the wizards. 

 

This is the enforcement action from the Guest User Repository,

Radius:IETF

Session-Timeout

=

%{Authorization:[Guest User Repository]:RemainingExpiration}

The Guest user does not have the attribute as its only supposed to have "expire time"  and the Source filter in the source "Guest User Repository" calculates this

 

Authentication	sponsor_name	SponsorName	-
	remaining_expiration	RemainingExpiration	-
	expire_time	ExpireTime	-

But ive worked out the issue is that clearpass is not pulling the attributes at all from the Guest User Repository even though it is selected in the Authorisation tab.

 

Im guessing that Clearpass will not pull authorisaation attributes from a source it didnt authenticate with?  As it seems to get the attributes when doing Webauth against the Guest User Repository, but when its doing MAC-Auth it wont go get the attributes, i assume because its authenticating against the endpoint repository?

I guess this is because the Authorisation attributes on the [Guest User Repository] authentication source do not have RemainingExpiration set-up like the Authentication attributes does:

 

 

I would think you would need to amend the Authorisation filter to allow the collection of the remaining_expiration attribute.

 

Alternatively, you could write this value to the Endpoints Repository once the web auth takes place and then look it up from there for future MAC authentications. You may need to add some maths to the lookup though.

Thanks, Ill hopefully have some time next week to look at this again.

 

Ill let you know how i go.

Hi Ledge,

I am having this same issue. Did you ever figure it out?

Chris

------------------------------
Christopher Jones
------------------------------

Original Message:
Sent: Jul 18, 2016 04:23 AM
From: Michael Lidgett
Subject: Policy server Failed to get value for attributes=[RemainingExpiration]

Thanks, Ill hopefully have some time next week to look at this again.

 

Ill let you know how i go.

Please open a new discussion as this is an old one and things may have changed, and add the messages that you see, your configuration, and what you have done already in troubleshooting in that discussion to allow more effective answers. Based on 'same issue' we can only guess.

You can also contact Aruba support and have them look at it if you need a solution quickly.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Jan 29, 2021 11:59 AM
From: Christopher Jones
Subject: Policy server Failed to get value for attributes=[RemainingExpiration]

Hi Ledge,

I am having this same issue. Did you ever figure it out?

Chris

------------------------------
Christopher Jones

Original Message:
Sent: Jul 18, 2016 04:23 AM
From: Michael Lidgett
Subject: Policy server Failed to get value for attributes=[RemainingExpiration]

Thanks, Ill hopefully have some time next week to look at this again.

 

Ill let you know how i go.