WifiHax - Making Networks Excellent
  • Blog
  • Contact

ClearPass: Custom Time Source Attributes

7/10/2021

Comments

 
You can create custom date and time strings relative to "now" with the [Time Source] Authentication Source. This was useful recently when I needed to customise the expiration of MAC caching on Guest devices. 

Instead of having the MAC Caching last until the Guest Account expired, or a day or week from now I wanted the caching to last until midnight of the current day. Here is how I achieved it.

In the ClearPass Guest Authentication with MAC Caching template an attribute is written to the endpoint called "MAC-Auth Expiry". The value of the caching duration is derived in the MAC Caching Settings tab of the service template configuration wizard. By default it would be set to the Account Expiry Time using %{Authorization:[Guest User Repository]:ExpireTime} in the MAC Caching enforcement profile. to edit.
MAC Caching Settings
MAC Caching Enforcement Profile
Note: I have used the prefix "deleteme" when using the Service Template so that I remember do remove the components it creates for this demonstration.

The value of Expire Time is extracted from the Guest User Repository so that it matches the Guest Account expiration when written to the Endpoint attribute.
%{Authorization:[Guest User Repository]:ExpireTime}
​The variable changes somewhat if you set the expiration to One Day or One Week however. Instead of pulling information from the Guest User Repository it instead uses the Time Source, which is a based on a SQL query.
%{Authorization:[Time Source]:One Week DT}
​"One Week DT" is just one of the options available by default as part of the default Time Source configuration.  It references the following SQL query which pulls the current time rounded to the hour and adds 1 week.
select date_trunc('hour', localtimestamp(0)+interval '1 week') as one_week
​There are various other examples built in to the time source such as Now DT, One Day DT, One Month DT and Six Months DT. These all display in a clear to read Date-Time format of YYYY-MM-DD HH:MM:SS. There are various other aliases that return an integer value relative to Epoch. I am less interested in calculating the time from a number so I will focus on the more readable form.
Default Time Source
​To create a variable which would return my desired result I added an additional filter to the Time Source. This is found in the ClearPass Policy Manager under Configuration --> Authentication --> Sources. 

I called the Filter "Today at Midnight" and used the following Filter Query:
select date_trunc('day', localtimestamp(0)) + interval '23 hour 59 minutes 59 seconds' as tonight
​This query rounds the date-time to the current day and the time component is represented as 00:00:00. It then adds 23 hours, 59 minutes and 59 seconds resulting in data in the form of YYYY-MM-DD 23:59:59 (where YYYY-MM-DD is the current day). I then referenced tonight with the Alias Name of "Tonight DT" so I can use that in my Enforcement Profile variable.
Today at Midnight
​Save the filter and the Time Source. 
Now go to Enforcement --> Profiles and find your Guest MAC Caching profile for your service.
In the Attributes tab of the profile edit the Endpoint Attribute Value for the MAC-Auth Expiry so that it uses the new Time Source variable.
%{Authorization:[Time Source]:Tonight DT}
MAC Caching Profile with Tonight DT
Custom Time Source
When a Guest successfully authenticates the Guest MAC Caching enforcement profile is called by the "User Authentication with MAC Caching Enforcement Policy". You will see it as one of the multitude of Actions taken.

The "MAC Authentication Role Mapping" policy (as created by the service template) is referenced by the "MAC Authentication Enforcement Policy". Notice in the first condition which defines the TIPS Role of {MAC Caching] checks the Endpoint MAC-Auth Expiry attribute and ensures that the present time is less than it.
MAC Auth Role Mapping
​Now DT actually is rounded to the hour if you inspect the SQL query. I found this out when I was testing and had used an expiration of 5 minutes from now by using the following SQL query. Because of this, Now DT would not be granular enough if you needed expiration to occur in periods shorter than one hour and may require some further modification. There are possibly better ways to attack such a scenario however. Because "Now DT" will not be less than %{Endpoint:MAC-Auth-Expiry} at precisely midnight this works as expected.
SELECT date_trunc('second', localtimestamp(0)) + interval '5 minutes' as now_plus_5mins
The result of all of this is that upon subsequent MAC Authentication requests beyond the first date of connection the device is presented with a Captive Portal. In my use case this was a customised web-login page which required the username to be entered to resume the session. This would occur all the way until the Guest Account Expiration disables the account (which could be weeks, months or longer in to the future).

Let me know if this helps you out by commenting below or sharing in your social feeds.
Comments
comments powered by Disqus

    WifiHax

    We build and optimise networks. Continuous learning is our secret to being good. Along the learning journey we will share things here...

    Archives

    May 2021
    June 2020
    December 2019
    September 2019
    August 2019
    July 2019
    April 2019
    November 2018
    October 2018
    September 2018
    January 2018
    October 2017
    September 2017
    August 2017
    June 2017
    April 2017
    February 2017
    November 2016
    September 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015

    Categories

    All
    802.1X
    ACMA
    AirDrop
    API
    Apple
    ARPANSA
    Aruba
    Audit
    Bluetooth
    Capture
    CECV
    ClearPass
    Client
    Conference
    Design
    DNS
    Ekahau
    Exploit
    Frequency
    Health
    IEEE
    Internet
    IoT
    LiFi
    Packets
    Python
    Scripting
    Security
    Spectrum
    Survey
    Switch
    Tools
    Troubleshoot
    VIC
    Vulnerability
    WiFi
    Wireshark
    Zero Day

    RSS Feed

 
​Contact



© COPYRIGHT 2019. ALL RIGHTS RESERVED.

+61 3 9005 2219
proberequest@wifihax.com
  • Blog
  • Contact