Occasional Contributor II

modify expire_time with first login

Having trouble with the following requirement:


A Guest Account should get disabled after 14 days if it is not used.

The Life time options are 1, 2, 3, 4, 5 days.


The service is based on the "Guest Authentication with MAC Caching" template.


If guest logs in durcing the first days with "5 day account" the expire_time gets modified to today +5 days which is perfectly fine


If guest  logs in on the 13th day (of this 14 day period) with "5 day account" the expire_time remains the original value which was set during creation. Which means it gets not updated and guest can use his account just 1 day.

My Customer would like to see the expire time get enhanced automatically in this case.


To be honest, i do not get why it is not getting updated altough the Access Tracker states that.


Does anyone have an idea or solution for this requirement?


best regards



Re: modify expire_time with first login

Interresting usecase, but I don't see why you are asked to complicate it that much. It sounds like a nightmare to administer to be honest ;) We usually have pre-made accounts with a set life-time that doesn't expire so the concierge just have a set he can hand out whenever and they last X days from first login..


But OK... You create the account with an expiration of 14 days, but life-time set to 5 days using the default mechanics of Clearpass Guest. As you've described this works OK.


So - to achieve what you need I'm thinking you will have to create your own version of this functionality that triggers on first login. The new expire_time is set according to the role "Guest-x-days".


When creating the guestuser you enter 14 days as expiration, but not any lifetime. Set the role to be equal to the duration you want it to have (guest-x-days). During first webauth you then enforce a new expire_time according to the role with a NOW+x days. Also set a custom field on the guestuser like "activated = true" and test for this field before doing the +days to make sure that it doesn't trigger again for the same account when the user logs in with a second/third device. You will also have to test the original expire_time against NOW to see if it's less that x days remaining of the 14 days expiration


Might be an easier way to do this, but I can't think of one.



John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: