AAA, NAC, Guest Access & BYOD

How to allow users to export the auth source/local users data without passwords

by ‎06-16-2015 01:10 PM - edited ‎06-16-2015 01:10 PM
Requirement:

I have a custom requirement to create Read/write without the ability to export passwords in Clearpass 



Solution:

This can be achieved as follows:

 

We can edit the Admin Privileges under "Administration » Users and Privileges » Admin Privileges".

 

 

 



Configuration:

Login to Clearpass and navigate to "Administration » Users and Privileges » Admin Privileges".

 

Export the default Network Administrator XML.

 

Open the XML in any XML editor.

 

The default contents are as below.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Mon Jun 15 09:40:40 IST 2015" version="6.5"/>
  <AdminPrivileges>
    <AdminPrivilege allowPasswords="true" accessType="FULL" name="Network Administrator" description="A network administrator is allowed to configure all the policies in the system">
      <AdminTask taskid="con">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="dnd">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="mon">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
    </AdminPrivilege>
  </AdminPrivileges>
</TipsContents>

 

 

We can edit the contents as below and upload the import same file.

 

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
  <TipsHeader exportTime="Mon Jun 15 09:40:40 IST 2015" version="6.5"/>
  <AdminPrivileges>
    <AdminPrivilege allowPasswords="false" accessType="FULL" name="Network Administrator custom" description="A network administrator is allowed to configure all the policies in the system">
      <AdminTask taskid="con">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="dnd">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
      <AdminTask taskid="mon">
        <AdminTaskAction type="RWD"/>
      </AdminTask>
    </AdminPrivilege>
  </AdminPrivileges>
</TipsContents>

 

 

 

The only change to the default XML is below :

 

<AdminPrivilege allowPasswords="false

 

Now the user logged in with this role will not be able to export passwords of CPPM authentication sources or users.



Verification

Login via the new role try to export any authentication source or user credentials.

The xml file which is exported will not contain the password.

 

The attached file can be used to add the required Role.

 

It will create a new rol;e named " Network Administrator custom"

 

 

 


Attachments:
AdminPrivileges.xml
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.