Security

for testing purposes I've created a time source attribute in CPPM 6.9 

select date_trunc('minute', localtimestamp(0)) as now_in_minutes

the data type is Date-Time

The Alias Name is 'Now in Minutes DT'

I use this attribute in an Enforcement Profile
Endpoint FirstSeen = %{Authorization:[Time Source]:Now in Minutes DT}

In the Access Tracker I will get an Alert

Policy server

Failed to get value for attributes=[Now in Minutes DT]

When I use the pre-defined Alias 'Now DT' with the filter query 'select date_trunc('hour', localtimestamp(0)) as today' there is no alert.

Has anyone an idea what's going wrong?


------------------------------
Richard Walter
------------------------------

Do you see 'Authorization:[Time Source]:Now in Minutes DT' as an authorization attribute in the Access Tracker? If not, try to create a role-mapping rule, or enforcement rule that actually uses that attribute. Like Authorization:[Time Source]:Now in Minutes DT EXISTS => Role: dummy-role.

In some cases, if an attribute is not relevant for the policy decision (not tested, not used), it can be that the processing skips that processing. And attributes used in post-auth are not always retrieved, if not used during the service processing. Simple workaround, in that case, is to actually use/check the attribute.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hi,
Thank you for the fast reply. I've got a strange behaviour now. When I use my Pc's wlan adapter I see  'Authorization:[Time Source]:Minus 10 Minutes DT 2021-08-26 10:21:00' in the Access Tracker's Authorization Attributes. Looks okay.
When I use my Samsung S10e I'll get the failed Alert within the access tracker.
Looks like I have to test some more devices.

Thanks

Richard

------------------------------
Richard Walter
------------------------------

Original Message:
Sent: Aug 26, 2021 04:19 AM
From: Herman Robers
Subject: time source attribute failed

Do you see 'Authorization:[Time Source]:Now in Minutes DT' as an authorization attribute in the Access Tracker? If not, try to create a role-mapping rule, or enforcement rule that actually uses that attribute. Like Authorization:[Time Source]:Now in Minutes DT EXISTS => Role: dummy-role.

In some cases, if an attribute is not relevant for the policy decision (not tested, not used), it can be that the processing skips that processing. And attributes used in post-auth are not always retrieved, if not used during the service processing. Simple workaround, in that case, is to actually use/check the attribute.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hi,

Would you please share the dashboard details zip file for the failed auth to review the config?

------------------------------
Nimal Varampetran
------------------------------

Original Message:
Sent: Aug 26, 2021 04:39 AM
From: Richard Walter
Subject: time source attribute failed

Hi,
Thank you for the fast reply. I've got a strange behaviour now. When I use my Pc's wlan adapter I see  'Authorization:[Time Source]:Minus 10 Minutes DT 2021-08-26 10:21:00' in the Access Tracker's Authorization Attributes. Looks okay.
When I use my Samsung S10e I'll get the failed Alert within the access tracker.
Looks like I have to test some more devices.

Thanks

Richard

------------------------------
Richard Walter
------------------------------


Original Message:
Sent: Aug 26, 2021 04:19 AM
From: Herman Robers
Subject: time source attribute failed

Do you see 'Authorization:[Time Source]:Now in Minutes DT' as an authorization attribute in the Access Tracker? If not, try to create a role-mapping rule, or enforcement rule that actually uses that attribute. Like Authorization:[Time Source]:Now in Minutes DT EXISTS => Role: dummy-role.

In some cases, if an attribute is not relevant for the policy decision (not tested, not used), it can be that the processing skips that processing. And attributes used in post-auth are not always retrieved, if not used during the service processing. Simple workaround, in that case, is to actually use/check the attribute.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Hi Nimal,

all is working now. I now use an Enforcement Profile to set an attribute with an timestamp to the endpoint.

Endpoint FirstSeen = %{Authorization:[Time Source]:Now DT}
Type Post_Authentication
Time-Source filter : select date_trunc('hour', localtimestamp(0)) as today
Time-Source Name: today
Time-Source Alias Name: Now DT

I've got the problem when I used 'select date_trunc('minute', localtimestamp(0)) as now_in_minutes'
as a Time-Source filter.

Don't know how to get a dashboard details zip file.



------------------------------
Richard Walter
------------------------------

Original Message:
Sent: Aug 30, 2021 02:21 PM
From: Nimal Varampetran
Subject: time source attribute failed

Hi,

Would you please share the dashboard details zip file for the failed auth to review the config?

------------------------------
Nimal Varampetran
------------------------------


Original Message:
Sent: Aug 26, 2021 04:39 AM
From: Richard Walter
Subject: time source attribute failed

Hi,
Thank you for the fast reply. I've got a strange behaviour now. When I use my Pc's wlan adapter I see  'Authorization:[Time Source]:Minus 10 Minutes DT 2021-08-26 10:21:00' in the Access Tracker's Authorization Attributes. Looks okay.
When I use my Samsung S10e I'll get the failed Alert within the access tracker.
Looks like I have to test some more devices.

Thanks

Richard

------------------------------
Richard Walter


Original Message:
Sent: Aug 26, 2021 04:19 AM
From: Herman Robers
Subject: time source attribute failed

Do you see 'Authorization:[Time Source]:Now in Minutes DT' as an authorization attribute in the Access Tracker? If not, try to create a role-mapping rule, or enforcement rule that actually uses that attribute. Like Authorization:[Time Source]:Now in Minutes DT EXISTS => Role: dummy-role.

In some cases, if an attribute is not relevant for the policy decision (not tested, not used), it can be that the processing skips that processing. And attributes used in post-auth are not always retrieved, if not used during the service processing. Simple workaround, in that case, is to actually use/check the attribute.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.