Security

I'm having trouble passing a Role to an Instant using ClearPass.

It's not clear if I'm going about this the right way. This is my first attempt at doing this.

I have a Employee SSID setup on Instant to use ClearPass Onboard to provision and authenticate users.

The default role on the Employee SSID has a external captive portal, which points to the Onboard QuickConnect app.

That part works great.  I can log-in, go to the portal, download quickconnect, and install certificates. Works just like the normal controller based routine.

The problem I'm having is getting the ClearPass to change the default role of the Employee SSID to something else (allow all).

Without changing the default role, my client con only get to the captive portal.

I've got user roles setup in both ClearPass and Instant with the same name.  

My ClearPass service for Onboard Provisioning is applying the right role. Looking at the Access Tracker, roles and enforcement prfiles are being correctly assigned.  I'm not sure if they are being accepted by the Instant AP.

I basically have two settings on my Onboard Provisioning.

First is the Role tab.  I setup a role in ClearPass and it gets assigned.

Second is the Enforcement tab.  I have an enforcement profile set to the following:

Radius:Aruba    Aruba-User-Role  CRA_Instant          ( type,name,value) ("CRA_Instant" is the name of my Role I'm trying to apply)

Now the canned choices from the drop-down menu are nothing like the value I have above.  Most look like %{Authorization:Active Directory:Name}  or something similar.  I'm not sure if I can just type in the name of a role I configured or if I have to use the language that is part of the drop down.  

Nothing in the drop-down list by default looks to be anything I could use in terms of Roles.

Maybe using enforcement as described above is not the way to go about this?

Any help, especially if I'm going off on a tagent is appreciated.

Regards,

Colin

You can simply type the name (case-sensitive) of the Aruba user role there.  You don't need to worry about the drop down list.

Can you cut and paste the IAP config?

Full config file attached.

CRA_IAP_Employee  is the SSID I'm having issues with.

Default access role woudl be "CRA_IAP_Employee"

Access role I'm trying to apply is "CRA_Instant"

The SSID config tab for Access Rules , as viewed in the GUI,  defaults to Network-based.  Reading from prior posts this is expected and as-designed. 

What I'm not sure of, is if I send a RADIUS request to change the role from default, will the config change to role based?

Here are the config portions that may be of interest (not in order shown in config file):

wlan ssid-profile CRA_IAP_Employee

enable

index 1

type employee

essid CRA_IAP_Employee

opmode wpa2-aes

max-authentication-failures 0

vlan 15

auth-server clearpasscra

rf-band all

captive-portal disable

dtim-period 1

inactivity-timeout 1000

broadcast-filter none

dmo-channel-utilization-threshold 90

local-probe-req-thresh 0

max-clients-threshold 64

wlan access-rule CRA_Instant

index 2

rule any any match any any any permit

wlan access-rule CRA_IAP_Employee

index 3

captive-portal external profile Employee

rule any any match any any any permit

rule 10.1.100.128 255.255.255.255 match tcp 443 443 permit

rule 10.1.100.128 255.255.255.255 match tcp 80 80 permit

rule 173.194.0.0 255.255.0.0 match tcp 443 443 permit

rule 74.125.0.0 255.255.0.0 match tcp 443 443 permit

rule 209.85.0.0 255.255.0.0 match tcp 443 443 permit

rule any any match any any any deny

wlan auth-server clearpasscra

ip 10.1.100.128

port 1812

acctport 1813

key 3ab42c4060d6db48e5882ecb4b2a0e696756c5120a1185ff

rfc3576

cppm-rfc3576-port 5999

wlan external-captive-portal Employee

server 10.1.100.128

port 443

url "/guest/landing.php/device_provisioning2.php"

auth-text ""

auto-whitelist-disable

https

Attachment(s)

instant.txt   5 KB 1 version