Security

Reply
Occasional Contributor I

ClearPass Guest Role Override

Hi all. I am wondering if someone can help me with a role override issue I am having with a Guest Self-Registration. I have a role override set on the self-registration configuration but it is not triggering a CoA to change the user's role on the controller. I have a CoA enforcement profile in my guest login policy (below) with the name exactly matching my role that I selected on the guest side in brackets. 

Pomona-Test-EnfPolicy.jpg

Pomona-Test-AccountOverride.jpg

As I understand, these are the requirments for changing authorization once the account is approved. The problem is that I am not seeing any CoA sent from CPPM in Access Tracker so of course the role for the guest user is not changing. When I look in the Guest Application Log, I see the account approved and the role changed but nothing about a CoA from there either, which I would expect to see some sort of notification that the Guest module at least tried to initiate a CoA. Has anyone gotten this to function the way they want to? If so, can you see what I am missing? I am happy to include more screen shots if necessary. 

Ted Randall
ACMX #582
ACCP
Guru Elite

Re: ClearPass Guest Role Override

Do you have an Aruba Change-User-Role enforcement profile built for that role?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: ClearPass Guest Role Override

Hi Tim. Yes, I do. Please see screen shot below. And you can see in the previous screenshot where this is being applied in the Enforcement Policy. I also have a user role on my controller called Registered-Guest. I would think that I should be able to see something in the Application Log on the Guest side when the account is approved that the CoA is triggered but I am not finding anything helpful there. Pomona-Test-CoA-EnfProfile.jpg

Ted Randall
ACMX #582
ACCP
Guru Elite

Re: ClearPass Guest Role Override

Can you remove the brackets and try again?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: ClearPass Guest Role Override

Same result. The ClearPass Guest user guide does specifically say to put the role that is referenced on the guest side in brackets in the enforcement profile name. 

Ted Randall
ACMX #582
ACCP
Guru Elite

Re: ClearPass Guest Role Override

Hm ok. Best to open a TAC case then.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: ClearPass Guest Role Override

That may be my next step but I was hoping to avoid it if possible. Does anyone have an example of a validated config where this is working as expected?

Ted Randall
ACMX #582
ACCP
Guru Elite

Re: ClearPass Guest Role Override

It should be working exactly the way you have it configured.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: ClearPass Guest Role Override

I will try upgrading firmware to see if that helps (currently running 6.6.0). Is there anything that I should be seeing in the Guest Application Log?

Ted Randall
ACMX #582
ACCP
Guru Elite

Re: ClearPass Guest Role Override

I don’t think so.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: