Security

Reply
Occasional Contributor II

ClearPass Guest portal with Mac-Caching - changing role in endpoint repository

Hi

 

I have setup Guest portal with self-registration and sponsor and use different roles (also two custom ones).

Mac-caching works fine and new roles are send to controller correctly via Radius CoA.

In my setup, guest obtain default guest role after registration and changing of role is done from ClearPass-Guest->Manage Accounts.

(Changing of role isn't done from sponsor form)

 

One problem which I have encounter is that I don't know how to send new role of guest to the Endpoint Repository after modyfing it in the guest account (from ClearPass-Guest->Manage Accounts).

If I change it manually in this endpoint repository, it is ok, but it is not comfortable for my client.

Is it any way to change the role in Endpoint Repositury automatically after account modification ?

I would be very glad for any help and advices

 

Karol

 

Guru Elite

Re: ClearPass Guest portal with Mac-Caching - changing role in endpoint repository

It will get updated when the user logs in again through the captive portal. There is no automatic method outside of that.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass Guest portal with Mac-Caching - changing role in endpoint repository

Thanks for fast response.

So I should enforce somehow second web login ?

or maybe change the role manually in endpoint repository ? 

 

No other way ?

 

So how to enforce relogin of guest ? I understand that I have to enfrce relogin somehow

regards

K

Guru Elite

Re: ClearPass Guest portal with Mac-Caching - changing role in endpoint repository

Clear the MAC-Auth Expiry attribute.

It’s not common to change a guest role after the login event.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass Guest portal with Mac-Caching - changing role in endpoint repository

Hi Tim

 

Thanks for your answer

 

In my case setting role is almost always after login.

 

I'm wondering if it is possible to have two version of sponsor approval page: one  without filed for selecting role and second with such a filed.

It could be slected based on group in AD for example ?

 

regards

 

K

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: