Security

All,

 

Just curious. Has anyone implemented the new Time Source in Clearpass 6.3? If so, would you mind sharing the use case?

 

Thanks!

 

-Mike

Where is that defined?

Hi Colin,

 

It's defined under:

 

CPPM > Configuration > Authentication > Sources > [Time Source]

 

I've looked at the methods available with it in a service and allows you to do things like "Now" and now plus a future time - which all seem cool.

 

The reason I'm asking is that I'm doing a project with a client where we will be presenting a web login page to a connected user after X period of time, no matter what. Arubapedia has an article about Anonymous Guest Logins and pulling it off with an additional SQL db. It would be cool if this new auth source had something similar built in without going the whole way of creating a new db.

 

Thanks!

 

-Mike

I believe that is for looking at the expiration date of a cert so you can force a user to a captive portal if a cert is about to expire. I'll look when I get to my office later today.

Edited/Removed 

 

 

 

 

I've had it in every version of 6.3 I vaguely remember hearing about what
Troy mentioned with certificate expiration.

Yea, sorry about that.  I initially thought it did not exist on my system, but was on page 3 of my Sources.     I'll step aside for Troy to offer his commentary on it.

Looks pretty much like the solution tarnold and amigodave managed to conceive for my issue where certificate users did not know their certificate was about to expire.

 

They created a sql source so I could look at the certificate expiration time and do calculations on it to pop up a captive portal when it was about to expire. 

see http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Handling-certificate-expiration/m-p/93548/ for this.

 

This new TimeSource looks pretty much like that old sql source so I'm guessing they added this so people wouldn't have to pester tarnold and amigodave anymore whenever somebody wanted to do something with time :)

Sorry for the delay here, I’m waiting on a confirmation from engineering. Yes it could be used to check for cert expiration, but it was built to be more universal for other cases. As soon as I here back on some of the other use cases I will let everyone know. 

Hi Troy,

 

I wanted to see if the developers replied back about the Time Source?

 

Thanks for the help!

 

-Mike

Quick note from engineering

1. Certificate expiry checks
2. AD account expiry checks (the policy engine can convert the accountExpires attribute into a usable date/time field)

You can use these to frame policies that look up date/time attributes, and compare them with attributes fetched from authentication/authorization.

Troy,

 

Would you use the "%{Time-Source:Now}" type format in order to do this check?

 

Thanks!

 

-Mike