Lifetime of Guest Access

  • 1
  • Question
  • Updated 1 year ago
  • Answered
Hi,

I have currently installed for a customer the guest access environment using pre-shared keys on rekeying and scheduling.

Here you can create automatically created users and rotate them daily AND you are able to limit the login time of the ticket.

But it will only create the requested number of accounts for that day. There is no "preview" of the days to come. How can I create users that only have a short lifespan ( 12hours max ) and have them allready created? So I can export this tickets, put them on a label merge and give them to the reception.

Ps: A solution without ID manager should be great

A tough: Is it me, or is the "guest" accounts feature a little bit weak? You have to use a third party radius to authenticate. No build-in feature for username/password? Make it limited for lets say a 100 users. For the SMB market this should do. For the larget environments, they can buy ID manager.
Photo of Thomas Collier

Thomas Collier

  • 10 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Thomas, you can use reoccurring automatically generated Private PSKs for time limited guest access.

I touched on this in my Private PSK comparison located at http://community.aerohive.com/aerohiv... and I have produced it below for you:

Automatically generated Private PSKs can also be configured to reoccur, while manually created Private PSKs (for obvious reasons) cannot. This means, for example, that if you want to have a guest solution that supports twenty guests per day for a period of one, two or five days you can create three different automatically generated reoccurring Private PSK groups as follows:

* User Name Prefix = Guest_1Day_; Private PSK Start Time = ; Private PSK Lifetime = 1 (day); Private PSK Rotation Interval = 1 (day); Private PSK Rotations = 500; Private PSK Users to Create Per Rotation = 20.
* User Name Prefix = Guest_2Day_; Private PSK Start Time = ; Private PSK Lifetime = 2 (days); Private PSK Rotation Interval = 1 (day); Private PSK Rotations = 500; Private PSK Users to Create Per Rotation = 20.
* User Name Prefix = Guest_7Day_; Private PSK Start Time = ; Private PSK Lifetime = 7 (days); Private PSK Rotation Interval = 1 (day); Private PSK Rotations = 500; Private PSK Users to Create Per Rotation = 20.

Notes:

* As these automatically generated Private PSKs are time restricted a failure in the NTP protocol will result in the guests not being able to authenticate. Therefore, having two or more NTP sources available for each access point is strongly recommended.
* Be careful to ensure that the Private PSK Lifetime x Private PSK Rotations does not exceed the ability of the Linux operating system to calculate the date. If you do exceed it the following warning will appear in your access point logs - “warn ah_auth: ah_auth_bulk_group_gen_users: bulk(x) to bulk(y) can't be generated because the timestamp out of range”.
Photo of Thomas Collier

Thomas Collier

  • 10 Posts
  • 0 Reply Likes
I do understand, but that doesn't solve my problem.

We want to create "tickets" , so we use the auto private keys to generate a ticket. But by default it will only create a ticket for the current day, next day it will generate again the tickets of that day.

But as you may notice, this means we have to send out the new tickets everyday to the front desk, as we rather have a bunch of tickets being created that can be used once on any given day and expires after using in 12 hours or generate 20 tickets by day, but already visible in the user manager. This means we can export the users and create some paper to be left at the front desk.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Just so I understand this correctly you want to create auto generating PPSKs that are only valid for 12 hours after a wireless client associates with it. If no wireless client associates with it on day x it can remain at the front desk until a wireless client associates with it and then it only allows access for 12 hours.

Does this sound correct?
Photo of Derak

Derak

  • 4 Posts
  • 1 Reply Like
Has there been a solution for this? I am trying to do what you just described @Crowdie
Photo of Loren

Loren

  • 48 Posts
  • 2 Reply Likes

Bump!  I am looking for this exact same solution.

Photo of John Hanay

John Hanay

  • 38 Posts
  • 8 Reply Likes
Thank you for the comments and feedback. This is implemented to a greater extent in ID Manager and I understand your desire to have the same functionality in the platform. We are looking into how we can achieve this.
Photo of Jonatan Thiel

Jonatan Thiel

  • 1 Post
  • 0 Reply Likes
I would also like to se a solution for this "problem" without relying on ID Manager.
Photo of Dmitry Podshivalov

Dmitry Podshivalov

  • 1 Post
  • 0 Reply Likes
Any news? When will it be implemented outside of the ID Manager?
Photo of Eliu Rodriguez

Eliu Rodriguez

  • 16 Posts
  • 0 Reply Likes
Aerohive is just inflexible to do that kind of settings. What about if I want a staff member, such as a receptionist or Helpdesk member administer or manually created Private PSKs guest accounts with a specific time range and number of accounts? they have to create a Local user Group, then the Bulk accounts, then you have to activate these accounts on every single AP (which is a waste of time if you have 250 units installed, etc... Is just tedious and not practical at all.  The regular stuff (rotative) is 1 day, 1 week or 1 Month guest accounts, that is not a problem. But might be that you previously created 300 guest accounts from which you will need only 100 (200 wasted accounts) or maybe you will need 400 (shortage) then you have again to repeat all the process....etc... I just think that should be a smarter way to do this....
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Have you looked at the Service PPSK settings in HiveManager NG, which is available on-premise and in the cloud?

Photo of j

j

  • 24 Posts
  • 7 Reply Likes
Given that Aerohive still hasn't implemented a proper way renew, or even reissue, the key for a returning visitor, without having their MAC adress blocked for an hour if they enter the wrong password four times in six minutes, I wouldn't recommend enabling the Account Expiration option.
(Edited)