Security

Reply
Occasional Contributor II

ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Hi,

 

I am trying to setup a service to identifiy particular users from AD with certian memberOf group to be able to manage the guest access portal (add/remove accounts. current sessions etc.).  Problem I'm having is that even failed the "FAILED" login status are able to login and manage the portal.

 

I'm sure I have something not configured properly and was wondering if someone could post any suggestions.

Frequent Contributor I

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Can you post the service policy you have configured? Which Operator role are you setting in Clearpass Guest? Have you adjusted the Operator profile accordingly?
Any amount of Kudos will be greatly appreciated!!!
Occasional Contributor II

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Here is the CFG of the service I am using with enforce policy and role.  If you need more info, I can get it =D

 

1.PNG

 

2.PNG

 

3.PNG

4.PNG

 

 

5.PNG

Frequent Contributor I

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Two things at first glance;

 

1. You aren't utilising the Role Mapping in your enforcement so it is not needed in this scenario.

2. Try using the FQDN of the AD group membership in your enforcement profile. E.g. CN=group,DC=company,DC=com.

 

What is strange however is that your users are still being allowed access when a reject is being applied?!? Can you post a screenshot of the "Summary" tab for the failed attempt?

 

On the Guest side, you should have a translation under your Operator settings that should match admin_privileges = LobbyAdmin and set the correct profile.

Any amount of Kudos will be greatly appreciated!!!
Occasional Contributor II

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Hi,

 

Here is the screen shots.

 

 

1.PNG

 

 

2.PNG

 

 

Frequent Contributor I

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Updating the enforcement profile group name with the FQDN of the group should fix the role mapping and enforcement statements
Any amount of Kudos will be greatly appreciated!!!
Occasional Contributor II

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Where do I update the group name?  Sorry I'm still new with clearpass.

Frequent Contributor I

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Update your Enforcement Policy ENFORCE_AGU - Guest Operator Logins, then update the rule Authorization:SOURCE_AD_AGRIUM:memberOf to EQUALS the FQDN of the group name in AD, e.g. CN=groupname,DC=company,D=com.

 

You can find this if you look under the Input tab on your failed attempt, and check the memberOf section under the RADIUS attributes.

Any amount of Kudos will be greatly appreciated!!!
Occasional Contributor II

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

Ok,

 

This has seem to help.  I can now adjust the Profiles within the guest portal \ Administration \ Profiles and change access accordingly.


The problem though is that access tracker says its rejected and applies the default deny policy (yet it still lets me login and manage accounts).

 

WebAuthService Applied Reject profile

Frequent Contributor I

Re: ClearPass Guest - Lobby Admin not being identified but allowing administration of accounts.

I've just tested this in version 6.3.1.62009 and the default [Deny Application Access Profile] does correctly reject the login attempt and prevent access to Clearpass Guest.

 

Which version are you using?

Any amount of Kudos will be greatly appreciated!!!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: