How to configure device limitations for different users in ClearPass OnBoard?
It is possible to configure Clearpass to allow few users to Onboard more devices than the global limit.
It is assumed that we have a working Onboard setup. Onboard provisioning settings is configured to allow one device per user using RADIUS protocol for authorization as shown below:
If the requirement is to allow to certain groups of users to Onboard more devices than other users, then you can follow the below procedure.
To allow the users that are memberof Domain Admins group in the Active Directory to Onboard more than 1 device, we can use the following enforcement profile.
In this example, we want to allow Domain Admins Onboard 2 devices. The conditions and the number are devices are variable. Domain Admin group is chosen as an example.
1. Configuration » Enforcement » Profiles » Edit Enforcement Profile.
2. Select Aruba Radius enforcement template and navigate to Attributes tab and select Aruba-Mdps-Max-Devices attribute and set to 2, as shown below:
3. Navigate to Configuration » Services » Edit - Onboard Authorization Service and apply as shown below. Set the default profile to [Allow access Profile] which will apply the Max devices count for other users, as specified in the provisioning profile.
If a normal user, who is not part of Domain Admins group, tries to Onboard the second device, they will get the following message during the provisioning process and QuickConnect logs on Windows & Android would exit with Error HTTP status code - 403(Forbidden).
A similar error can be seen in ClearPass Guest application logs as shown below:
If you have Onboard Authorization configured with App-Auth, then we can use the following enforcement profile:
1. Configuration » Enforcement » Profiles.
2. Select Generic application enforcement template and set the ClearPass:Onboard-Max-Devices to required limit and apply this enforcement profile to Onboard App-Authorization service.