Security

 View Only

  • 1.  Clearpass - Adjust Expire time

    Posted Jul 17, 2021 05:09 PM
    Seems this topic has been covered a lot but I have not found a solution to this scenario...

    Is it possible for the MAC Authentication service to refer to the Guest User repository to look at the Guests ExpireTime value directly? Instead of looking at the Endpoint Database?

    Normal flow:

    - Guest creates an account via Captive Portal. The Endpoint in the Endpoint Repository is updated with the [Guest User Repository]:ExpireTime value. 
    - Subsequent Authentications use the MAC Auth service that looks at the Endpoint Expire time to derive MacCache role  Not the Guest Database ExpireTime)

    Now an Admin wants to extend the ExpireTime for this Guest user via the 'Change Expiration' option on the Guest account.

    How do I get the MAC Authentication Service to refer to this new value? I can only seem to refer to it during the MAC Caching service but that requires the Guest to hit the captive portal again and remember or go find the password they were assigned.

    ------------------------------
    Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
    ------------------------------


  • 2.  RE: Clearpass - Adjust Expire time

    Posted Jul 18, 2021 01:44 AM
    Edited by Gorazd Kikelj Jul 18, 2021 01:46 AM
    Did you try with

    Authorization;[Guest User Repository]ExpireTime

    attribute?

    Best, Gorazd

    ------------------------------
    Gorazd Kikelj
    ------------------------------



  • 3.  RE: Clearpass - Adjust Expire time

    Posted Jul 19, 2021 07:35 AM
    Thanks for the tips guys!

    MHolden - Yes, we use the Device Registration Disconnect for actual device registrations. This works great to CoA the MAC Address after the change is made. But the root issue is still the same. When the Guest reconnects after CoA, it uses the MAC Cache service (We dont want to pop the captive portal again). The MAC Cache service is unable to pull the ExpireTime from the Guest User repository. Without this Attribute, Clearpass cannot use it to make a policy decision or enforcement.

    Gorazd - Same as above, the MAC Cache Service is not pulling back the ExpireTime attribute. 

    Note that the Guest User repository is configured on the MAC Cache service but only AccountEnabled and AccountExpired are pulled back.
     





    ------------------------------
    Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
    ------------------------------

    Original Message


  • 4.  RE: Clearpass - Adjust Expire time

    Posted Jul 18, 2021 12:34 PM
    A new default service was added in 6.9 I think called "[Device Registration Disconnect]"
    You can modify this service and enforcement policy to accomplish this task.

    Essentially, if you've created a new MAC Create/MacTrac Create custom page for the Guest User profile, Copy the Service, Update the Application:ClearPassPage-Name Value(s).
    Copy the Existing [Device Registration Disconnect] policy, and update it to also update the endpoint MAC-Auth Expiry just like you would with the captive portal authentication. 



  • 5.  RE: Clearpass - Adjust Expire time

    Posted Jul 19, 2021 04:51 AM
    This isn't a direct answer, but should give you some pointers.

    Historically the guest's expiry time was recorded in the associated device's Endpoint repository (MAC-Auth Expiry attribute - I believe Ben Van Zeggelaar came up with this solution back in 2013), along with the Username and Guest Role ID attributes, at registration time. A limitation of this approach is that subsequent changes in the guest's expiry time are not reflected in the Endpoint.

    To address this I have taken a different approach. I still record the Username and Guest Role ID in the Endpoint but directly reference the guest's expiry time. To achieve this I've created a new [Guest User Repository] Attribute filter. The key thing is the SQL that extracts the guest's expiry time based on the Connection:Client-Mac-Address-NoDelim value - this is "normalized" to the correct format for the PostgreSQL database (I realise this should be Username but I can't guarantee this will be in the correct format):

    SELECT CASE WHEN expire_time>now() THEN CAST(EXTRACT(epoch FROM (expire_time-NOW())) AS INTEGER)
                ELSE 0
           END AS remaining_expiration, expire_time::timestamp,
           attributes->>'Role ID' AS role_id
    FROM tips_guest_users
    WHERE ((guest_type='USER') AND (user_id='%{Connection:Client-Mac-Address-NoDelim}') AND (app_name!='Onboard'))

     
    The returned attributes are exposed in ClearPass in the following manner:

    SQL Value

    ClearPass attribute name

    Data Type

    remaining_expiration

    MAC_ExpiresIn

    Integer64

    expire_time

    MAC_ExpireTime

    DateTime

    role_id

    MAC_RoleID

    Integer

     

    Within the Guest MAC-Auth service I can then add the [Guest User Repostory] as an Authorization Source (this should already be there). Within the RoleMapping I can build a condition that verifies whether this device's associated guest has expired:

    (Endpoint:Guest Role ID  EQUALS  251) AND (Authorization:[Time Source]:Now LESS_THAN %{Authorization:[Guest User Repository]:MAC_ExpireTime})

     

     



    ------------------------------
    Derin Mellor
    ------------------------------



  • 6.  RE: Clearpass - Adjust Expire time

    Posted Jul 19, 2021 07:37 AM
    Derin - Brilliant! This sounds to be in line with what I am looking for. I will test this out and report back results. 

    Thanks much!

    ------------------------------
    Philip Wightman, ACEX (AMFX) #69. Aruba Partner Ambassador
    ------------------------------

    Original Message


Related Content