Security

Two 'problems'.. kudos oppertunities rather :P

 

Usualy MAC-AUTH duration is decided by the role a guest user has together with a simple Authorization:[Insight Repository]:Days-Since-Auth and a static duration.

 

- Now a customer  requires the MAC-AUTH duration to be what the receptionist sets guest accounts expiration date. Basically if the guest account expires in 180 days the MAC-AUTH should be valid for as long too. This guest account expiration can be anything from a day to a year.

Seems a fair question right? So how can I accomplish this?

Can I somehow create a query that checks if the guest-user is still active before allowing the device access?

Or can I somehow use the guest account expirationd ate as a variable and tie that into the "Authorization:[Insight Repository]:Days-Since-Auth" bit somehow?

That MAC-Guest-Check query already seems to have some expiration handling.. is this the guest user or the guest device expiration?

 

- Somewhat related.. we also need to enable MAC-AUTH for AD authenticated captive portal users. The 'difficulty' (I'm still hoping I'm missing something obvious here) is that those MAC-AUTH need to expire on a set date (next 1 september) rather then after a certain time.

I'm fairly confident this should be doable with some custom sql.. now I just need someone who's confident with clearpass sql :)

 

Not in front of a computer right now but first thought would be to write a custom attribute to the endpoint MAC record with the expiration date (do this in your web auth service), then use the new Time Source authorization source to reference that custom attribute and determine if the device is still valid.

My first question apparantly is alot easier than that even.

 

Source: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-Guest-MAC-Caching-Deny-Disabled-Guests/m-p/114909#M7486

 

A condition "(Authorization:MAC-Guest-Check:UserName  EXISTS   ) " is enough to check if the guest still has an active guest account. If no active guest account his mac-auth will fail too.

 

 

Pretty much giving up on entirely automating this..  AD users logging on and then expiring their MAC-AUTH on next September.

 

Thinking something easier now...

- reset all endpoints to unknown on august 31st to force them all to reauthenticate?  Is that possible? I can't seem to select and and change the known status.

 

- anyone got any better ideas?

 

Guess I still was thinking to difficult..

 

Just save an attribute with the current schoolyear while doing the user auth.

Then allow only endpoints with that attribute value.

Come September 1st, just change the variable value we're setting at the user-auth and allowing with the mac-auth and voila.. users forced to log on again.

 

Simple and only a tiny bit manual work once a year.

Create an enforcement policy that has something like the below as the first rule.:

 

%{Authorization:[Guest User Repository]:RemainingExpiration} = 0    apply    Deny Access Profile

 

then apply this to the MAC-AUTH service which has been created for the MAC caching.

 

So if the Guest account has no time left before it expires it will be denied (account is expired) but if there is time left then this rule won't match and any subsequent processing can be applied.

 

This should have the effect of allowing MAC caching as long as the account is still active.