AAA, NAC, Guest Access & BYOD

Customize Guest Operator Login on CPPM

This document talks about creating custom translations rules to authenticate CPPM guest users via an authentication source and providing them different level of access.

 

Environment : This article best suits  for CPPM 6.2 version.

 

 

Below are the steps to Add the Operator Login Service  for Guest 

A: Configuration on Clear Pass Policy Manager.

1: Create Roles on CPPM.

Login to Clear Pass Policy Manager and Navigate to "Configuration » Identity » Roles" and Add a new role.

 

rtaImage.png

For this instance, we would create two roles named Help Desk 1 and Help Desk 2.

Note: The names are just for user understanding and can be any generic string. However we will map this role with proper access level later.

2: Map the roles created with Role Mapping policy.


Login to Clear Pass Policy Manager and Navigate to "Configuration » Identity » Role Mappings" and add a new Role Mapping Policy

Provide a generic name and default Role.

 

rtaImage (1).png

Then Map it with roles as shown below.

 

rtaImage (2).png

Note : The Authorization rules used here would be different for each environment.

3: Create an Enforcement Policy for this Role.


Login to Clear Pass Policy Manager and Navigate to "Configuration » Enforcement » Profiles" and click on Add Enforcement Profile.

Select the "Generic Application Enforcement" from Drop down menu and provide a Name.

 

rtaImage (3).png

Mapp this policy to the "Help Desk 1" Role which we created as shown below.

 

rtaImage (4).png

The attribute  "admin_privileges" will be used later in Clear Pass Guest Configuration.

The Summary of the above added Profile would be something as shown below.

 

rtaImage (5).png

Similarly create a policy for " Help Desk 1" also as shown below

 

rtaImage (6).png

4: Create a new Enforcement Policy.

Login to Clear Pass Policy Manager and Navigate to "Configuration » Enforcement » Policies" and click on Add a new Enforcement Policy  as shown below.

 

rtaImage (7).png

Make sure that the Enforcement type is Application and default Profile is selected as Deny Application Access profile.

Add the Roles as shown below.

 

rtaImage (8).png

Save this and the summary would be similar as shown below.

 

rtaImage (9).png

Save and Exit.

5: Add a service to handle this request.



Login to Clear Pass Policy Manager and Navigate to "Configuration » Services"

Click on " Add Service"

Select "Aruba Application Authentication" from the drop down and modify the service as shown below

 

rtaImage (10).png

Provide a Name based on our requirements and select the application as "Guest" as we would use this service to login to Guest module of CPPM. Enable "Authorization".

Select the Authentication Source as shown below.

 

rtaImage (11).png

Add the below Authorization source.

 

rtaImage (12).png

 

Map the Role mapping profile created earlier  in Step 2 to this Service

 

rtaImage (13).png

 

Map the Enforcement Policy  which we created in Step 4 to this service.

 

rtaImage (14).png

 

This completes the configuration of Clear pass Policy Manager.

 B: Configuration of Clear pass guest.

Login to Clear Pass Guest and navigate to " Home » Administration » Operator Logins » Translation Rules"

Click on "Create new translation rule" to create a new Translation Rule.

 

rtaImage (15).png

 

The Above Translation Rule means than whenever CPG gets a login request with Value = " Help Desk 1" , it will allow " Network Administrator" level.

Note: The Attribute name must be "Admin_privilege" as we have created enforcement policies with the same name.

Similarly create a rule for " Help Desk 2" as shown below.

 

rtaImage (16).png

 

We can map different Operator profiles created on " Home » Administration » Operator Logins » Profiles"

This completes the configuration of Clear Pass Guest.

 

Login to CPG as shown below with two different users which match the condition we have specified in the Service we created.

 

rtaImage (17).png

 

rtaImage (18).png

 

On CPPM, we would see the below in Access tracker.

 

rtaImage (19).png

 

Version history
Revision #:
1 of 1
Last update:
‎07-15-2014 05:26 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.