How to configure ClearPass Onboard Self-Service portal in CPPM.
Often times, it may be required to allow the users to manage their own Onboard device certificates. This will allow them to revoke or delete the device certificates from Clearpass Onboard for re-provisioning purposes, if required.
Some of the use-cases may include:
1. When they loose their device and want the device certificate to be revoked without the intervention of IT helpdesk.
2. If they want to Onboard a new device that they have got, but want to stay within max device restrictions per user as applicable, then they can delete their previous device certificate.
In this example, we will see how to login to ClearPass Guest with an username/password configured in ClearPass local database. Users can also use their AD credentials to login to ClearPass Guest. In anycase, Clearpass should be configured to send an application response:admin_privilege equals to BYOD Operator profile.
Navigate to Configuration » Identity » Local Users. Create a username 'byod' with the role [BYOD Operator]. [BYOD Operator] is one among the default roles available in CPPM.
We can use the default service [Guest Operator Logins] to authenticate this user. [Guest Operator Login] enforcement policy is designed in such a way that, if the user is a part of local user repository and if they are authenticated, it will send its Role-Name as an application response. In this case, it will send [BYOD Operator] as an admin_privilege.
Now, navigate to ClearPass Guest >> Administration >> Operator Logins >> Translation Rules. Create a new translation rule for BYOD Operator with attributes as shown below:
It is configured to check the Role attribute. If the value of Role attribute equals to BYOD Operator, then it will assign a fixed operator profile named BYOD Operator.
Now navigate to ClearPass Guest >> Administration >> Operator Logins >> Profiles.
Edit the BYOD Operator profile. Privileges for Onboard will be set as Custom by default.
Make the following changes so that BYOD Operator can view/delete their certificates and save the profile changes.
1. Set 'Delete Certificate' to FULL Access.
2. Set 'Manage Devices' to Read-Only Access.
2. Set 'Manage Own Devices' to FULL Access.
3. Set 'Revoke Certificate' to FULL Access.
4. Set 'View Own Certificate' to FULL Access.
Login to ClearPass Guest with byod username and its password.
Navigate to Onboard >> Management and Control >> View by Certificate. We would only see the certificates with common-name matching with the login username.
Here , we already have client certificate provisioned for 'byod' user and it can be seen as shown below:
As seen above, the user byod has got BYOD Operator profile and now they can delete or revoke their device certificate in CPPM Onboard, as required.
Access tracker requests of byod user-login to ClearPass Guest is shown below:
1. Access tracker Summary tab of byod user-login:
2. Access tracker Output tab showing admin_privileges equals to [BYOD Operator]:
If we want to login with AD credentials to ClearPass Guest, then [Guest Operator Logins] service should be copied and modified with appropriate Role-Mapping changes to enforce admin_privilege = BYOD Operator as an application response.