Hi
With MAC authentication ena led on the SSID you can assign one role for new devices and one role for devices that has exceeded the 30 minutes limitation.
To achieve this you tag the client during the initial authentication with a time limitation, in you case 30 minutes in the future.
With Interim accounting enabled the access points will update ClearPass with session information.
When 30 minutes has passed a Dynamic authorization should be sent as this is the time limitation for the session. Dynamic authorization, also called CoA or RFC 3676, will force the client to do a new authentication.
At this time ClearPass can return the secondary role, maybe with a captive portal and an information page telling the user that the time hass passed. Alternatively deny subsequent vonnection attempts.
The standard Guest with MAC caching template could give quite good help in how to create the needed enforcement profiles.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Mar 16, 2024 01:24 PM
From: Miguel de Paula
Subject: Network access for just 30 minutes
Hey guys, how are you?
I have the following scenario.
I need to give visitors access to my network for just 30 minutes. I don't need any type of validation, no username, no acceptance of terms, nothing like that?
I have an IAP Cluster and Clearpass, what scenario do you suggest to accomplish this?
Thanks in advance.