05-12-2014 07:30 AM - last edited on 05-13-2014 06:17 PM by Jamie E
I am trying to setup a service to identifiy particular users from AD with certian memberOf group to be able to manage the guest access portal (add/remove accounts. current sessions etc.). Problem I'm having is that even failed the "FAILED" login status are able to login and manage the portal.
I'm sure I have something not configured properly and was wondering if someone could post any suggestions.
Solved! Go to Solution.
05-12-2014 07:38 AM
05-12-2014 08:12 AM
Two things at first glance;
1. You aren't utilising the Role Mapping in your enforcement so it is not needed in this scenario.
2. Try using the FQDN of the AD group membership in your enforcement profile. E.g. CN=group,DC=company,DC=com.
What is strange however is that your users are still being allowed access when a reject is being applied?!? Can you post a screenshot of the "Summary" tab for the failed attempt?
On the Guest side, you should have a translation under your Operator settings that should match admin_privileges = LobbyAdmin and set the correct profile.
05-12-2014 08:36 AM
05-12-2014 09:12 AM
Update your Enforcement Policy ENFORCE_AGU - Guest Operator Logins, then update the rule Authorization:SOURCE_AD_AGRIUM:memberOf to EQUALS the FQDN of the group name in AD, e.g. CN=groupname,DC=company,D=com.
You can find this if you look under the Input tab on your failed attempt, and check the memberOf section under the RADIUS attributes.
05-12-2014 09:45 AM
This has seem to help. I can now adjust the Profiles within the guest portal \ Administration \ Profiles and change access accordingly.
The problem though is that access tracker says its rejected and applies the default deny policy (yet it still lets me login and manage accounts).
WebAuthService Applied Reject profile
05-12-2014 12:05 PM
I've just tested this in version 220.127.116.11009 and the default [Deny Application Access Profile] does correctly reject the login attempt and prevent access to Clearpass Guest.
Which version are you using?