String. The current account activation time in long form. This field In a database or a user interface, a single item of information; attribute. is available on the change_expiration and guest Someone who is permitted to access the enterprise network or Internet through your Network Access Server. Also, as ClearPass Guest, a configurable ClearPass module for secure guest network access management. Access permissions are controlled through an operator profile that can be integrated with an LDAP server or Active Directory login._enable forms. The value is generated from the start_time field, and may be one of the following:

Account will be enabled at date andtime

Account is currently active

No account activation

Boolean flag indicating that an already existing account should be updated, rather than failing to create the account. This field should normally be enabled for guest self-registration forms, to ensure that a guest that registers again with the same email address has their existing account automatically updated. Set this field to a non-zero value or a non-empty string to enable automatic update of an existing account. This field controls account creation behavior; it is not stored with created guest accounts.

Boolean flag indicating that an already existing account should be updated, rather than failing to create the account. This field should normally be enabled for guest self-registration forms, to ensure that a guest that registers again with the same email address has their existing account automatically updated. Set this field to a non-zero value or a non-empty string to enable automatic update of an existing account. This field controls account creation behavior; it is not stored with created guest accounts.

Special field used to enable the use of a CAPTCHA security code on a form. This field should be used with the user interface type “CAPTCHA security code” and the standard validator NwaCaptchaIsValid in order to provide the standard security code functionality.

Boolean flag indicating that any existing sessions for a guest account should be disconnected or modified using RFC Request For Comments; a commonly-used format for Internet standards documents. 3576. If this field is not specified on a form that modifies the guest account, the default value is taken from the configuration for the RADIUS Remote Authentication Dial-In User Service. Network access-control protocol for verifying and authenticating users; provides AAA management. A RADIUS transaction might be 802.1X, MAC-Auth, or generic RADIUS. Services plugin.

Set this field to a non-zero value or a non-empty string to enable RFC 3576 updates for active sessions. Set this field to a zero value or the empty string to disable RFC 3576 updates for active sessions.

Integer. Time at which the account was first created. The creation time is specified as a UNIX timestamp. This field is automatically configured with the current time when the Initial Value is set to: array('generator' => 'time')

If the same username is registered again, the create_time field is not overwritten.

Boolean flag indicating that the creator has accepted the terms and conditions of use. When creating an account, this field must be present, and must be set to the value 1. If this field is unset, or has any other value, account creation will fail with an error message.

To set the correct value for this field, use a check box (to require confirmation from the creator) or a hidden field (if use of the form is considered acceptance of the terms and conditions). This field controls account creation behavior; it is not stored with created guest accounts.

String. Name of the creator of the account. This field does not have a default value. See sponsor_name.

Integer that specifies the action to take when the expire time of the account is reached. See expire_time.

0—Account will not expire

1—Disable

2—Disable and logout

3—Delete

4—Delete and logout

“Disable” indicates that the enabled field will be set to 0, which will prevent further authorizations using this account.

“Logout” indicates that a RADIUS Disconnect-Request RADIUS packet type sent to a NAS requesting that a user or session be disconnected. will be used for all active sessions that have a username matching the account username. This option requires the NAS Network Access Server. Device (such as a wireless access point, network switch, or dial-in terminal server) that provides network access to users. When a user connects to the NAS device, a RADIUS user authentication request (Access-Request) is generated by the NAS. to support RFC 3576 Dynamic Authorization Describes the ability to make changes to a guest account’s session while it is in progress. This might include disconnecting a session or updating some aspect of the authorization for the session.. See RFC 3576 Dynamic Authorization for more information.

Integer. Time at which the account will expire, calculated according to the account’s expiration timers. The value of this field is a UNIX timestamp. This field is available when modifying an account using the change_expiration or guest_edit forms.

Boolean flag indicating if the user account is authorized to log in. This field is available when modifying an account using the change_expiration or guest_edit forms.

Boolean flag indicating if the user account has already expired. This field is available when modifying an account using the change_expiration or guest_edit forms.

Integer. The maximum session time that would be allowed for the account, if an authorization request was to be performed immediately. Measured in seconds. Set to 0 if the account is either unlimited (dynamic_is_expired is false), or if the account has expired (dynamic_is_expired is true). This field is available when modifying an account using the change_expiration or guest_edit forms.

String. Email address for the account. This field may be up to 100 characters in length. When creating an account, if the username field is not set then the email field is used as the username of the account.

Boolean flag indicating if the account is enabled. Set this field to 0 to disable the account. If an account is disabled, authorization requests for the account will always fail. Set this field to 1 to enable the account.

String. Description of the account’s expiration time. This field is set when modifying an account. This field is available on the change_expiration and guest_enable forms. The value is generated from the do_expire, expire_time, expire_postlogin and expire_usage fields, and may be one of the following:

Account will expire at date andtime, or interval after first login, or after interval total usage

Account will expire at date andtime or interval after first login

Account will expire at date andtime or after interval total usage

Account will expire at date andtime

Expires interval after first login or after interval total usage

Expires interval after first login

Expires after interval total usage

No expiration time set

Integer. Time at which the account will expire. The expiration time should be specified as a UNIX timestamp.

Setting an expire_time value also requires a non-zero value to be set for the do_expire field; otherwise, the account expiration time will not be used. Set this field to 0 to disable this account expiration timer.

If the expire_timezone field is used in conjunction with expire_time and a time zone and date are selected, the date calculation is adjusted relative to the time zone.

String. Provides a drop-down list of time zones to use in conjunction with expire_time and start_time. When expire_timezone is selected and a date is chosen, the date is adjusted to be relative to the time zone. Receipts and edits made after an account is created are displayed in the account’s local time zone.

By default, expire_timezone uses the NwaGenerateTimeZoneList options generator. To use a smaller subset of time zones, change the Options Generator to (Use options) and provide your "value | name" pairs. Please reference the default list for valid time zone values.

Integer. The total time period in seconds for which the account may be used. Usage is calculated across all accounting Process of recording summary information about network access by users and devices. Tracks network resource consumption and records events such as authentication failures. sessions with the same username. Set this field to 0 to disable this account expiration timer.

String. Identifies the Web browser that you are using. This tracks user’s browsers when they are registering. This is stored with the user’s account.

String. Internal user ID used to identify the guest account to the system.

String. The IP address to assign to stations authenticating with this account. This field may be up to 20 characters in length. The value of this field is not currently used by the system. However, a RADIUS user role Type of access being granted. ClearPass lets you define multiple roles. Such roles could include employee, guest, team member, or press. Roles are used for both guest access (user role) and operator access to ClearPass. may be configured to assign IP addresses using this field by adding the Framed-IP-Address attribute, and setting the value for the attribute to: <?= $user["ip_address"]

String Value indicating how to modify the expire_postlogin field.

This field is only of use when editing a guest account. It may be set to one of the following values:

“expire_postlogin” to set the post-login expiration time to the value in the expire_postlogin field;

“plus X” or “minus X”, where X is a time measurement, to extend or reduce the post-login expiration timer by X (minutes, but may have a “ywdhms” suffix to indicate years, weeks, days, hours, minutes, seconds respectively);

A number, to set the post-login expiration time to the value specified;

Any other value to leave expire_postlogin unmodified.

This field controls account modifications; it is not stored with the guest account.

String. Value indicating how to modify the expire_time field.

This field may be provided when creating or editing a guest account. It may be set to one of the following values:

“none” to disable the account expiration timer (do_expire and expire_time will both be set to 0);

“now” to disable the account immediately;

“expire_time” to use the expiration time specified in the expire_time field;

“expire_after” to set the expiration time to the current time, plus the number of hours in the expire_after field;

“plus X” or “minus X”, where X is a time measurement, to extend or reduce the expiration time by X (hours, but may have a “ywdhms” suffix to indicate years, weeks, days, hours, minutes, seconds respectively);

A time measurement “X”, to set the expiration time to the current time plus X;

Any other value to leave expire_time unmodified.

This field controls account creation and modification behavior; it is not stored with created or modified guest accounts.

String. Value indicating how to modify the expire_usage field. This field is only of use when editing a guest account. It may be set to one of the following values:

“expire_usage” to set the cumulative usage expiration timer to the value in the expire_usage field;

“plus X” or “minus X”, where X is a time measurement, to extend or reduce the cumulative usage expiration timer by X (seconds, but may have a “ywdhms” suffix to indicate years, weeks, days, hours, minutes, seconds respectively);

A number, to set the cumulative usage expiration time to the value specified;

Any other value to leave expire_usage unmodified.

This field controls account modifications; it is not stored with the guest account.

String. Value indicating how to modify the account password.

It may be one of the following values:

“random_password” to use the password specified in the random_password field;

“reset” to create a new password, using the method specified in the random_password_method field (or the global defaults, if no value is available in this field);

“password” to use the value from the password field;

Any other value leaves the password unmodified.

This field controls account creation and modification behavior; it is not stored with created or modified guest accounts.

String. Value indicating how to modify the start_time field.

It may be one of the following values:

“none” to disable the account activation time;

“now” to activate the account immediately;

“start_time” to use the activation time specified in the start_time form field (normally a UNIX time, but may be 0 to disable activation time);

“start_after” to set the activation time to the current time plus the number of hours in the start_after field;

“plus X”, where X is a time measurement, to extend the activation time by X. The time measurement is normally hours, but may have a “ywdhms” suffix to indicate years, weeks, days, hours, minutes, or seconds, respectively. Alternatively, this operation may be written equivalently as ‘+X’, ‘pX’, ‘plusX’, ‘add X’, ‘addX’, or ‘aX’. Example: to delay activation time by 2 days, use the value +2d.

“minus X”, where X is a time measurement, to reduce the activation time by X. See above for details about specifying a time measurement. Alternatively, this operation may be written equivalently as ‘-X’, ‘mX’, ‘minusX’, ‘sub X’, ‘subX’, or ‘sX’. Example: to bring forward activation time by 12 hours, use the value -12h.

A time measurement “X”, to set the activation time to the current time plus X.

A time and date specification, to set the activation time to that time and date. Many different formats are specified; for clarity it is recommended that a standard format such as ISO-8601 is used (“YYYY-MM-DD hh:mm:ss” format).

Any other value to leave start_time unmodified.

This field controls account creation and modification behavior; it is not stored with created or modified guest accounts.

Integer. Initial sequence number. This field is used when creating guest accounts and the random_username_method field is set to “nwa_sequence”. If this field is not set, the next available sequence number for the given multi_prefix is used. Sequence numbering will start with 0 if no initial sequence number has been set.

String. The prefix of each username generated when creating guest accounts and the random_username_method field is set to “nwa_sequence”.

String. Network address mask to use for stations using the account. This field may be up to 20 characters in length. The value of this field is not currently used by the system. However, a RADIUS user role may be configured to assign network masks using this field by adding the Framed-IP-Netmask attribute, and setting the value for the attribute to: <?= $user["netmask"]

Boolean. If set, prevents a user from changing their own password using the guest self-service portal. Set this field to a non-zero value or a non-empty string to disable guest-initiated password changes. The default is to allow guest-initiated password changes, unless this field is set.

Boolean. If set, prevents a user from logging into the guest service portal. Set this field to a non-zero value or a non-empty string to disable guest access to the self-service portal. The default is to allow guest access to the self-service portal, unless this field is set.

Boolean. User does not receive a logout expiration warning. The admin or user can opt out of this option by setting the field to 1.

String. Comments or notes stored with the account. This field may be up to 255 characters in length.

Integer. The number of accounts to create when using the create_multi form. This field controls account creation behavior; it is not stored with created guest accounts.

String. Password for the account. This field may be up to 64 characters in length.

String. Password for the account. If this field is set, its value must match the value of the password field for the account to be created or updated. This can be used to verify that a password has been typed correctly. This field controls account creation and modification behavior; it is not stored with created or modified guest accounts.

String. Controls the password changing behavior for a guest account. This field may be set to one of the following values:

empty string – Default behavior; that is, guests are not required to change their password

deny – Prevents the guest from changing their password

first – Requires the guest to change their password on their first login

next – Requires the guest to change their password on their next login

recur – Require the guest to change their password on a regular schedule (as specified by the password_action_recur field)

recur_next – Require the guest to change their password on their next (or first) login, and then on a regular schedule (as specified by the password_action_recur field)

If the guest is required to change their password, this will take place during a network login, before the guest is redirected to the NAS for login. Guest password changes are only supported for Web login Login page displayed to a guest. pages and guest self-registration pages that have the “Perform a local authentication Verification of a user’s credentials. Typically accomplished with a username and password, a one-time token, or a digital signature. check” option enabled.

The default behavior is to leave guest passwords under the control of the guest. With the default behavior, guests are not prevented from changing their password, but are also not required to change it on any particular schedule.

String. Specifies a date or relative time, after which a guest will be required to change their password. Using this field also requires the password_action field to be set to the value ‘recur’. The value of this field should be a relative time measurement, indicated with a plus sign; for example “+15 days” or “+2 months”.

Integer. The time that the guest’s password was last changed. The password change time is specified as a UNIX timestamp. This field is automatically updated with the current time when the guest changes their password using the self-service portal.

String. This field contains a randomly-generated password. This field is set when modifying an account (guest_edit form).

String. The length, in characters, of randomly generated account passwords.

For nwa_words_password, the random_password_length is the maximum length of the random words to use. Two random words will be used to create the password, joined together with a small number (up to 2 digits).

For nwa_picture_password, the random_password_length is ignored.

String. Identifier specifying how passwords are to be created. It may be one of the following identifiers:

nwa_digits_password to create a password using random digits. The length of the password is specified by the random_password_length field.

nwa_letters_password to create a password using random lowercase letters (a through z). The length of the password is specified by the random_password_length field.

nwa_lettersdigits_password to create a password using random lowercase letters and digits (a through z and 0 through 9). The length of the password is specified by the random_password_length field.

nwa_alnum_password to create a password using a combination of random digits, uppercase letters and lowercase letters (a-z, A-Z and 0-9). The length of the password is specified by the random_password_length field.

nwa_strong_password to create a password using a combination of digits, uppercase letters, lowercase letters, and some punctuation. Certain characters are omitted from the password. The length of the password is specified by the random_password_length field.

nwa_complex_password to create a complex password string which contains uppercase letters, lowercase letters, digits and symbol characters.

nwa_complexity_password is dynamic and matches your complexity setting for password generation. For example, if you require your passwords to have both letters and digits, then this validator will confirm that the password has at least one of each.

nwa_words_password to create a random password using a combination of two randomly-selected words and a number between 1 and 99. The maximum length of each of the randomly-selected words is specified by the random_password_length field.

nwa_picture_password to create a password using the format string specified by the random_password_picture field.

String. The format string to use when creating a random password, if random_password_method is set to “nwa_picture_password”.

The length, in characters, of randomly generated account usernames.

For nwa_words_password, the random_username_length is the maximum length of the random words to use. Two random words will be used to create the username, joined together with a small number (up to 2 digits).

For nwa_picture_password, the random_username_length is ignored.

For nwa_sequence, the random_username_length is the length of the sequence number in the username; the sequence number will be zero-padded. For example, specifying a length of 4 will result in sequence numbers 0001, 0002, etc.

String. Identifier specifying how usernames are to be created. It may be one of the following identifiers:

nwa_sequence to assign sequential usernames. In this case, the multi_prefix field is used as the prefix for the username, followed by a sequential number; the number of digits is specified by the random_username_length field.

nwa_picture_password to create a random username using the format string specified by the random_username_picture field.

nwa_digits_password to create a username using random digits. The length of the username is specified by the random_username_length field.

nwa_letters_password to create a username using random lowercase letters. The length of the username is specified by the random_username_length field.

nwa_lettersdigits_password to create a username using random lowercase letters and digits. The length of the username is specified by the random_username_length field.

nwa_alnum_password to create a username using a combination of random digits, uppercase letters and lowercase letters. The length of the username is specified by the random_username_length field.

nwa_strong_password to create a username using a combination of digits, uppercase letters, lowercase letters, and some punctuation. Certain characters are omitted from the generated username to ensure its readability (for example, “o”, “O” and “0”). The length of the username is specified by the random_username_length field.

nwa_words_password to create a username using a combination of two randomly-selected words and a number between 1 and 99. The maximum length of each of the randomly-selected words is specified by the random_username_length field.

String. The format string to use when creating a username, if the random_username_method field is set to nwa_picture_password. See Format Picture String Symbols for a list of the special characters that may be used in the format string.

String. The IP address of the guest at the time the guest account was registered.This field may be up to 20 characters in length. The value of this field is not currently used by the system.

Integer. Role to assign to the account.The value of this field must be the integer ID of a valid RADIUS user role.

String. Name of the role assigned to the account.

Integer. Time period, in hours, after which the account will be enabled. This field is used when the modify_start_time field is set to start_after. The value is specified in hours and is relative to the current time. This field controls account creation behavior; it is not stored with created guest accounts.

Integer. Time at which the account will be enabled. The time should be specified as a UNIX timestamp.

String. The guest’s answer to the secret question that is stored in the secret_question field. To use this field, first add both the secret_question and secret_answer fields to a guest self-registration form. Then, in the self-service portal for a guest self-registration page, select the “Secret Question” as the Required Field. This configuration requires that guests provide the correct answer in order to reset their account password. Answers must match with regards to case in order to be considered as correct.

String. The guest’s secret question used to confirm the identity of a guest during a reset password operation.

Integer. Maximum number of simultaneous sessions allowed for the account.

Email address of the sponsor of the account. If the sponsor_email field can be inserted into an email receipt and used future emails, the “Reply-To” email address will always be the email address of the original sponsor, not the current operator Person who uses ClearPass Guest to create guest accounts or perform system administration. ClearPass Guest operators act as sponsors for guest access..

String. Name of the sponsor of the account. The default value of this field is the username of the current operator.

No Type. Field attached to submit buttons. This field controls account creation behavior; it is not stored with created guest accounts.

Integer. Login activity of the guest account. This field is available in views and may be used to determine the most recent start and stop time of guest account sessions.

String. Username of the account. This field may be up to 64 characters in length.

String. The guest’s company name.

String. The guest’s full name.