Security

Reply
Super Contributor I
Posts: 321
Registered: ‎05-09-2013

ClearPass Custom Admin Privileges

Having some trouble getting this custom admin privilege to work. I believe the structure and code is correct, but I keep getting a page with nothing on it when I log in.

 

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <TipsContents xmlns="http://www.avendasys.com/tipsapiDefs/1.0">
    <TipsHeader exportTime="Tue Nov 04 15:45:12 UTC 2014" version="6.4"/>
      <AdminPrivileges>
        <AdminPrivilege allowPasswords="true" accessType="FULL" name="BYOD-User" description="A user with the ability to add/remove/modify devices they have created in the endpoints database for BYOD">
          <AdminTask taskid="con.id.ep">
            <AdminTaskAction type="RWD"/>
          </AdminTask>
        </AdminPrivilege>
      </AdminPrivileges>
</TipsContents>

 

 

Am I missing something?

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 7,870
Registered: ‎09-08-2010

Re: ClearPass Custom Admin Privileges

Best way is to export an existing role and modify it.

 

Also, this will allow all users access to the entire endpoint database.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 321
Registered: ‎05-09-2013

Re: ClearPass Custom Admin Privileges

I exported the Receptionist one and modified the information with what is in the user guide for Endpoint Repository access only, but when I upload it back in, it is blank.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 7,870
Registered: ‎09-08-2010

Re: ClearPass Custom Admin Privileges

[ Edited ]

Here, try importing the attached XML file. It worked fine for me.

 

Also keep in mind that this role you are creating allows all users full access to ALL endpoint records. Someone will this privilege could log in and delete all records.

 

 

custom-admin.JPG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 321
Registered: ‎05-09-2013

Re: ClearPass Custom Admin Privileges

Has there been any update to this? Is it possible to restrict the user account to only the devices the user has logged in with? 

 

Ironically I'm in the exact same scenario as before.

 

So - students who bring BYOD devices log in through a web login page on the guest network. We want to limit those users to 2 devices, but allow them to add/remove devices if they want. The devices are not listed in the Guest Device Repository, but the Endpoints instead. Is there a way to have them in the Guest Device Repository and linked to specific usernames?

 

If not, any recommendations on how to proceed with this?

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 7,870
Registered: ‎09-08-2010

Re: ClearPass Custom Admin Privileges

The devices would need to be in the guest device repository via device registration. The main CPPM interface is not designed for end user access.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: ClearPass Custom Admin Privileges

Michael,

 

You can definitely do this, but it will use Guest Licenses. What you will need to do is redirect students to the Guest Self-service portal. Then, they can register the MAC addresses for their devices. Once they register a device's MAC address, ClearPass will trigger a CoA to bounce that device (assuming we have the information as to where the device connected).

 

When a student logs back in to the self service portal, they will only see the devices that they registered. In the Operator Profile for the students, you can limit the number of accounts that the profile can create.

 

 

Thanks,

Zach Jennings
Search Airheads
Showing results for 
Search instead for 
Did you mean: