Security

Reply
Contributor II
Posts: 48
Registered: ‎12-17-2012

Administration of different roles in ClearPass Guest

Hello,

 

I am currently trying to see if I can utilize the different roles in ClearPass Guest to have separate user groups. For example, would it be possible to separate [Guest] users and [Contractor] users in ClearPass Guest?

 

I would like to be able to have a receptionist login in ClearPass Guest for [Guest] users - who only sees [Guest] users when he clicks on 'List Accounts'. Also, a second receptionist login should only see [Contractor] users.

 

I know there is a view called 'guest_users' and as far as I could see it doesn't distinguish between different roles. I would have to create a copy of the 'guest_users' view which only lists [Contractor] users.

 

But how do I manage to tie this view to the [Contractor] receptionist?

 

I know the ClearPass Guest software wasn't meant to handle this kind of thing but nevertheless it would be great if there would be some kind of solution!

 

Thanks for your help!

 

cheers,

Harald

MVP
Posts: 4,271
Registered: ‎07-20-2011

Re: Administration of different roles in ClearPass Guest

Is this what you are trying to do ?
http://community.arubanetworks.com/t5/Guest-Access/Create-new-account-roles-on-ClearPass-Guest/td-p/84170
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 48
Registered: ‎12-17-2012

Re: Administration of different roles in ClearPass Guest

Hi Victor,

 

creating the different roles was the first step. That was answered in the thread you referenced.

 

Now I would like to be able to have different receptionist users only see their [Guest] or [Contractor] accounts - if that is possible.

 

cheers,

Harald

Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Administration of different roles in ClearPass Guest

There is a way to do this.

 

What you need to do is tie the user login with an "operator profile" that is only allowed to create guests with a certain role if that is what you want.  For example, the contractor login would only allow guests to be created with a contractor role. You can also customize the guest creation and list forms/displays per operator login.  This requires some work and I'd recommend working with your respective Aruba SE to make this happen.  It does take a little bit of work to customize the forms in that manner.  If you just want to filter out the list accounts per login, this is a bit easier...see below.

 

Here is the gist...navigate to the ClearPass guest UI and hit up Administration --> operator logins --> profiles as shown below:

 

Screen Shot 2013-07-30 at 7.01.49 PM.png

 

Either duplicate the "receptionsing and front desk" role or create a new one.  I'd recommend duplicating that role to make the template easier.  Once you do that, edit this new role and then navigate to the section shown below called Operator Filter and select "only show accounts created by this operator" - 

 

Screen Shot 2013-07-30 at 7.01.24 PM.png

 

The trick now once you've done that is to assign this operator profile to the login so that when this user logs into Guest, he/she will get assigned this operator profile and apply the configuration as done in the above example.

 

To do that...on CP Guest, navigate to Administration --> operator logins --> Translation rules.  This is a list of translations from Policy Manager to the operator profiles above.  The "admin_privileges" value is a direct binding from an enforcement profile in Policy Manager.  

 

Screen Shot 2013-07-30 at 7.14.10 PM.png

 

From the new operator profile created above, create a new translation rule or edit one in the list.  Now...on the Clearpass Policy manager side, you should have a service named something like --> Guest Operator Login.  If you don't, you can easily create one from the Configuration --> Start Here --> Aruba Application Authentication.  The application name would be "Guest".

 

Screen Shot 2013-07-30 at 7.18.59 PM.png

 

If you do, take a look at the service and specifically, the Enforcement Policy in the service.  You will see something similar to the following. What you want to do is edit this and change it to reflect the translation rule created above tied to that user login account.  You may have to change the enforcement profile to equal the "admin_privileges" value created/modified in the translation rules on CP Guest.

 

Screen Shot 2013-07-30 at 7.19.59 PM.png

 

The Enforcement Profiles listed above are defaults as designated in the brackets.  Feel free to test/modify these to suit your deployment.  Let us know how you make out.  This is straightforward but there are some dependencies that are needed to make this work.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Search Airheads
Showing results for 
Search instead for 
Did you mean: