Security

I except the guest account to be deleted... (the expiret set for 1 hour....and than do_expire-4)

 

but it's seems not effecting at all on the guest module...

screenshot attached: ClearPass Policy Manager 6.2.2.56893 on CP-VA-5K platform

 

Try setting the expired guest cleanup interval time; set under CPPM --> Administration --> Server Manager --> Server --> Configuration --> Cluster-Wide Parameters --> Cleanup Intervals -> Expired guest accounts cleanup interval (default is 365 days).

Thanks :)

 

now , this make me think.

 

can expire guest account be re-used? let's say a guest is retureing to the site after X days and would like to re-register with the same e-mail , can it be done?

and if so...soo he can do it everytime - and than the session limit/expiry limit dosent worth nothing... <-- > no?

 

please advise.

Check the post out here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Self-Registration-question/m-p/52058/highlight/true#M4234

Thanks - i already read it before...

 

but if i dont allow auto update...than the user is unable to reuse his e-mail after the expiry time (until the guest record is deleted - 365 days?! ) ...what should i do if the user is caming back after 12 hours or 1 day...and there is still a guest recrod and no auto_update_account allowed.

 

Please advise.

List your requirements and we can try to propose a solution.  There are a number of parameters that could conflict, so we want to make sure everything works as it should based on all your requirements; otherwise we will have to keep changing everything and it will not work the way you want.  Feel free to open a new post with all the requirements so we can focus on them, instead of do_expire.

 

The short answer is that we would change the cleanup interval to just a single day, and it will clean out all the expired users.

will do that.

Thanks.

Here is what you need to change for do_expire to actually take action once the account expires:

 

 

do_expire will take whatever action is selected there. Default is just to disable the account. I believe this is what you are looking for.

 

I know this doesn't answer all of your questions, just the first one. So, if the account expiration was 1 hour from now, then after 1 hour, the user will get bounced and the account will be deleted, if set to Delete and logout at specified time. Then the user could go back in and create their account again.

Thanks zjennings->I aware to this option,and  this is already configured in my guest manager  (as option 4) - but,i still see the guest account in cppm guest under guest accounts - as expired....

Sorry to drag out an old post but has this issue actually been resolved??

 

I understand there is the option under Guest Manager which sets the do_expire field. This is currently set to Delete and Logout at specified time. However, even with this set the account is expired and not deleted.

 

I know I can amend the Expired guest accounts cleanup interval under the Cluster-wide parameters but this only runs overnight as part of database maintenance.

 

This means if an account was created valid for 2 hours, after this time the account would become disabled. If the user wanted to create another account with the same username (email address) then this would fail as an account would exist already (albeit expired). I know this is a rare scenario but this seems to indicate Clearpass Guest cannot support accounts which have a short lifetime.

 

***edit*** this works like this running Clearpass 6.3.1 as well as previous versions.

 

Surely we need just 1 option for controlling the accounts when the expire_time is reached like it used to work in Amigopod.

Anyone got around this problem?

Thanks

I am very interested in a result here. The users is not deleted even if the do_expire is set to 4. Version 6.2.6

Would like to see how to make them delete automatically It seems to be that when the MACtrac account it created it COAs the device but if account already exists and is just updated because the guest registers again then there is no COA request done. Is there another way to force a COA upon expiration change on a MACTRAC account?