AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

How to allow users to export the auth source/local users data without passwords 

Jun 16, 2015 04:10 PM

Requirement:

I have a custom requirement to create Read/write without the ability to export passwords in Clearpass 



Solution:

This can be achieved as follows:

 

We can edit the Admin Privileges under "Administration » Users and Privileges » Admin Privileges".

 

 

 



Configuration:

Login to Clearpass and navigate to "Administration » Users and Privileges » Admin Privileges".

 

Export the default Network Administrator XML.

 

Open the XML in any XML editor.

 

The default contents are as below.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Mon Jun 15 09:40:40 IST 2015" version="6.5"/>
  <AdminPrivileges>
    <AdminPrivilege allowPasswords="true" accessType="FULL" name="Network Administrator" description="A network administrator is allowed to configure all the policies in the system">
      <AdminTask taskid="con">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="dnd">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="mon">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
    </AdminPrivilege>
  </AdminPrivileges>
</TipsContents>

 

 

We can edit the contents as below and upload the import same file.

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Mon Jun 15 09:40:40 IST 2015" version="6.5"/>
  <AdminPrivileges>
    <AdminPrivilege allowPasswords="false" accessType="FULL" name="Network Administrator custom" description="A network administrator is allowed to configure all the policies in the system">
      <AdminTask taskid="con">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="dnd">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="mon">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
    </AdminPrivilege>
  </AdminPrivileges>
</TipsContents>

 

 

 

The only change to the default XML is below :

 

<AdminPrivilege allowPasswords="false

 

Now the user logged in with this role will not be able to export passwords of CPPM authentication sources or users.



Verification

Login via the new role try to export any authentication source or user credentials.

The xml file which is exported will not contain the password.

 

The attached file can be used to add the required Role.

 

It will create a new rol;e named " Network Administrator custom"

 

 

 


Attachments:
AdminPrivileges.xml

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.