This document talks about creating custom translations rules to authenticate CPPM guest users via an authentication source and providing them different level of access.
Environment : This article best suits for CPPM 6.2 version.
Below are the steps to Add the Operator Login Service for Guest
A: Configuration on Clear Pass Policy Manager.
1: Create Roles on CPPM.
Login to Clear Pass Policy Manager and Navigate to "Configuration » Identity » Roles" and Add a new role.
For this instance, we would create two roles named Help Desk 1 and Help Desk 2.
Note: The names are just for user understanding and can be any generic string. However we will map this role with proper access level later.
2: Map the roles created with Role Mapping policy.
Login to Clear Pass Policy Manager and Navigate to "Configuration » Identity » Role Mappings" and add a new Role Mapping Policy
Provide a generic name and default Role.
Then Map it with roles as shown below.
Note : The Authorization rules used here would be different for each environment.
3: Create an Enforcement Policy for this Role.
Login to Clear Pass Policy Manager and Navigate to "Configuration » Enforcement » Profiles" and click on Add Enforcement Profile.
Select the "Generic Application Enforcement" from Drop down menu and provide a Name.
Mapp this policy to the "Help Desk 1" Role which we created as shown below.
The attribute "admin_privileges" will be used later in Clear Pass Guest Configuration.
The Summary of the above added Profile would be something as shown below.
Similarly create a policy for " Help Desk 1" also as shown below
4: Create a new Enforcement Policy.
Login to Clear Pass Policy Manager and Navigate to "Configuration » Enforcement » Policies" and click on Add a new Enforcement Policy as shown below.
Make sure that the Enforcement type is Application and default Profile is selected as Deny Application Access profile.
Add the Roles as shown below.
Save this and the summary would be similar as shown below.
Save and Exit.
5: Add a service to handle this request.
Login to Clear Pass Policy Manager and Navigate to "Configuration » Services"
Click on " Add Service"
Select "Aruba Application Authentication" from the drop down and modify the service as shown below
Provide a Name based on our requirements and select the application as "Guest" as we would use this service to login to Guest module of CPPM. Enable "Authorization".
Select the Authentication Source as shown below.
Add the below Authorization source.
Map the Role mapping profile created earlier in Step 2 to this Service
Map the Enforcement Policy which we created in Step 4 to this service.
This completes the configuration of Clear pass Policy Manager.
B: Configuration of Clear pass guest.
Login to Clear Pass Guest and navigate to " Home » Administration » Operator Logins » Translation Rules"
Click on "Create new translation rule" to create a new Translation Rule.
The Above Translation Rule means than whenever CPG gets a login request with Value = " Help Desk 1" , it will allow " Network Administrator" level.
Note: The Attribute name must be "Admin_privilege" as we have created enforcement policies with the same name.
Similarly create a rule for " Help Desk 2" as shown below.
We can map different Operator profiles created on " Home » Administration » Operator Logins » Profiles"
This completes the configuration of Clear Pass Guest.
Login to CPG as shown below with two different users which match the condition we have specified in the Service we created.
On CPPM, we would see the below in Access tracker.