Hey hopefully someone can help me figure this out...Cisco WLAN w/ CPPM Guest.
So after a user has authenticated and processed portal, a radius session timeout is sent to the Cisco WLC. All of this works great. Guest account is enabled, not expired.
If the user disconnects from the SSID, idle-timeout kicks in on the controller and this user is removed from the WLC. If the user comes back within the account expiry period (i.e. 12 hours), when they re-associate, it hits my [Mac Cache] role where I do a bunch of checks on top of the default ones and what happens is I send an ACK to the controller with the PERMIT ACL but my radius session is 0 so if the user stays connected, they will never see a portal even after the guest account expires. They would need to do a MAC AUTH in order for that to happen (disconnect/reconnect to the SSID).
So i thought I would send the following (in a profile) during the MAC Authentication Enforcement Policy
(Tips:Role EQUALS [MAC Caching]) | CDPQ_PUBLIC_ACK, CDPQ_PUBLIC Guest Session Timeout |
But I get this error in Access Tracker..
Policy server | Failed to get value for attributes=[RemainingExpiration] |
Found this thread but not quite sure how to handle it..
https://community.arubanetworks.com/t5/Security/Policy-server-Failed-to-get-value-for-attributes/m-p/271180
I guess I am not 100% sure on how Clearpass handles this behavior when its MAC and Guest interacting with each other...