Security

Reply
MVP
Posts: 395
Registered: ‎05-09-2013

ClearPass Custom Admin Privileges

Having some trouble getting this custom admin privilege to work. I believe the structure and code is correct, but I keep getting a page with nothing on it when I log in.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
    <TipsHeader exportTime="Tue Nov 04 15:45:12 UTC 2014" version="6.4"/>
      <AdminPrivileges>
        <AdminPrivilege allowPasswords="true" accessType="FULL" name="BYOD-User" description="A user with the ability to add/remove/modify devices they have created in the endpoints database for BYOD">
          <AdminTask taskid="con.id.ep">
            <AdminTaskAction type="RWD"/>
          </AdminTask>
        </AdminPrivilege>
      </AdminPrivileges>
</TipsContents>

 

 

Am I missing something?


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass Custom Admin Privileges

Best way is to export an existing role and modify it.

 

Also, this will allow all users access to the entire endpoint database.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 395
Registered: ‎05-09-2013

Re: ClearPass Custom Admin Privileges

I exported the Receptionist one and modified the information with what is in the user guide for Endpoint Repository access only, but when I upload it back in, it is blank.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass Custom Admin Privileges

[ Edited ]

Here, try importing the attached XML file. It worked fine for me.

 

Also keep in mind that this role you are creating allows all users full access to ALL endpoint records. Someone will this privilege could log in and delete all records.

 

 

custom-admin.JPG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 395
Registered: ‎05-09-2013

Re: ClearPass Custom Admin Privileges

Has there been any update to this? Is it possible to restrict the user account to only the devices the user has logged in with? 

 

Ironically I'm in the exact same scenario as before.

 

So - students who bring BYOD devices log in through a web login page on the guest network. We want to limit those users to 2 devices, but allow them to add/remove devices if they want. The devices are not listed in the Guest Device Repository, but the Endpoints instead. Is there a way to have them in the Guest Device Repository and linked to specific usernames?

 

If not, any recommendations on how to proceed with this?


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: ClearPass Custom Admin Privileges

The devices would need to be in the guest device repository via device registration. The main CPPM interface is not designed for end user access.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: ClearPass Custom Admin Privileges

Michael,

 

You can definitely do this, but it will use Guest Licenses. What you will need to do is redirect students to the Guest Self-service portal. Then, they can register the MAC addresses for their devices. Once they register a device's MAC address, ClearPass will trigger a CoA to bounce that device (assuming we have the information as to where the device connected).

 

When a student logs back in to the self service portal, they will only see the devices that they registered. In the Operator Profile for the students, you can limit the number of accounts that the profile can create.

 

 

Thanks,

Zach Jennings
MVP
Posts: 395
Registered: ‎05-09-2013

Re: ClearPass Custom Admin Privileges

Don't mean to Revie an old thread, but I'm still running into this same issue. I'm  working on a ClearPass 6.2.6 hardware appliance and trying to configure a custom admin privilege for their Security team. 

 

I tried exporting the Help Desk admin role, modified it to only give access to the Local User DB: "con.id.lu" for "RWD". I also tried copying the code from the 6.2 User Guide and modifying for that same access. 

 

My outcome is always the same, when I login successfully, it is simply a blank ClearPass page. It does not have the menu options on the left column, but shows the header (ClearPass Logo + Username / Role) and footer with the Date and CPPM version. 

 

I've also tried changing the access to "con.id" and also "con" and still same result. I've tried using the "mon" condition instead, but still nothing.  Any idea what I could be missing here?

 

Thanks.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: