Security

 View Only
Back to discussions
Expand all | Collapse all

Issue with. postauth enforcement profile

This thread has been viewed 3 times

  • 1.  Issue with. postauth enforcement profile

    Posted Mar 25, 2026 06:11 AM

    hi

    I've got a small issue with a post auth enforcement policy. that writes some client cert details into a set of endpoints attributes (CN , expiry date , hostname).

    e.e. Attribute defined as date-time  has  %{Certificate::Not-Valid-After}  assigned to it

    Everything  works just fine for a successful  authentication but f the auth fails then instead of the endpoint attribute containing the contents of the above variable, it contains the actual text string, in this case %{Certificate:Not-Valid-After}

    We also have a clearpass API server that we use to update other endpoint attributes, except if we try and do that in a failed auth case, it barfs becuae the contents of the date -time attribute defined above is incorrect.

    Post auth enforcement policies dont allow youth implement something based upon whether there is a successful  auth or not. 

    How might I only  populate the endpoint  attributes for a successful  authentication?

    Rgds

    A

    A



    -------------------------------------------


  • 2.  RE: Issue with. postauth enforcement profile

    Posted Mar 27, 2026 05:30 AM

    I see you have a double :: in the first occurrence you mention it, unsure if that's a typo.

    If in Access Tracker the attribute is set in the Computed Attributes, I normally copy it from there to make sure I don't have any typos; then add %{ in front and the } after it (no spaces).

    Had a few times where there was a very small difference. Or the enforcement was triggered on a non-TLS authentication, so the attribute was not set. And you in the enforcement you may need to check if Certificate:Not-Valid-After is actually set before you trigger the update endpoint enforcement.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



Related Content