Security

Reply
Aruba

Setting Varying Expiration for OnBoard Credentials/Certificates

In ClearPass Onboard 3.9 it was possible to setup role based credential expiry  (certificate validity) off of AD attributes.    However, the same settings/return attributes don't seem to work with CPPM 6.x (6.1 in this case).  

 

Previously it was possible to set a reply Radius attribute (Session-Timeout) with either a value of seconds or an explicit date (for example <?= strtotime(‘2013-12-31 23:59:59’) – time() for December 31, 2013) and have the certificate expiration date be refelcted by this.

 

I may have overlooked it, but is there a similiar setup/process in 6.x for this functionality?

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Guru Elite

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

Clembo,

 

Return the radius attribute "Session-Timeout" in seconds (in the enforcement profile) in  the Onboard Authorization in CPPM.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Aruba

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

Thanks colin; i am aware of the fact I can put seconds in for Session-Timeout, but the customer requirements are to have the certificates expire at student graduation; so we want an expiration date set for each class of user.  The 3.9 method allowed for this (in reality it used a formula to calculate the right amount of seconds from the date that was entered minus the current time to figure out the right number of seconds); do you know if this is possible in 6.x?

 

The value in 3.9 was <?= strtotime(‘2013-12-31 23:59:59’) – time() but 6.x won't accept this as a value; only an integer

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Guru Elite

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

Clembo,

 

Wouldn't it be great if you could authorize the certificate name against the student account and have it fail when the student account is disabled?  

 

EDIT:  Just kidding.  You are right, it will not return that argument.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Aruba

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

We have that part working Colin.  We have the iPad passing Authentication (EAP-TLS); but failing Authorization against AD (account disabled) and I can deny them.  That is an alternative we have discussed and may have to implement.

 

They are migrating from 3.9 to 6.x this summer and wanted the same functionality; that's all.   If the answer is no, then so be it; just wanted to be sure the same method is not available in 6.x.

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Guru Elite

Re: Setting Varying Expiration for OnBoard Credentials/Certificates

Clembo,

 

No, you cannot include that as an argument.  I will let the powers that be know that.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: