Security

I have ClearPass Guest up and running, and users can submit registration requests to sponsors.  I have customized the registration page to use the sponsor lookup.

The problem I am having is that any use in our active directory can sponsor someone, and I want to limit it to a select group of people.  I have created an AD group "WiFi Approvers", and put a few individual users in this group.  I then created a translation rule that assigns members of this group the operator profile of "Reception and Front Desk".

If I do a test lookup on my server with a user that is NOT in this group, the lookup is successful, and returns:

'profile_name' => 'Null Profile',

If I do a test lookup on my server with a user that is in this group, the lookup is successful, and returns:

'profile_name' => 'Reception and Front Desk',

So I would think everything is good, but any user can sponsor someone.

When I look in CPPM --> Access Tracker and open 

under Authorization Attributes it says

and under Computed Attributes it has 

Now the sponsor this was sent to is name "test" not "Admin"  so there is definately something I am missing.

Can I limit who can sponser based on an AD group?

Read through the following thread on this topic:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/LDAP-Search-Filter-and-SEARCH/m-p/110375/highlight/true#M7034

You need to create a custom LDAP filter, it can look something like this:

(&
  (objectClass=user)

  (objectCategory=person)
  (|

    # Match users in any of these groups

    (memberOf=CN=Group1,OU=ou-name,DC=domain,DC=com)

    (memberOf=CN=Group2,OU=ou-name,DC=domain,DC=com)
    (memberOf=CN=Group3,OU=ou-name,DC=domain,DC=com)

  )
  (|

    # Match users by any of these criteria

    (sAMAccountName=*@SEARCH@*)
    (displayName=*@SEARCH@*)

    (cn=*@SEARCH@*)

    (sn=*@SEARCH@*)

    (givenName=*@SEARCH@*)

  )

)

Thanks Chris ,

This looks promising, I will update once I have tested this and let you know.

That worked, thanks for your help