Security

Reply
Regular Contributor I
Posts: 159
Registered: ‎03-03-2011

ClearPass guest operator logins

I have an LDAP server specified with translation rules for operator logins, keying off memberOf contains for various AD groups and that all works. Users log in and get the correct role in Guest. However, in CPPM access tracker, all the requests show as rejected for the service "Guest Operator Logins". Users are indeed able to log in. The Guest Operator Logins service cannot be edited. This is running CPPM 6.2.0.54567

 

guest_operator.JPG

Regards,

Josh
___________
ACMP, ACCP
Aruba
Posts: 113
Registered: ‎11-21-2011

Re: ClearPass guest operator logins

If you're not using the standard guest operator logins, then you can disable this default service in CPPM, to prevent the errors showing up in Access Tracker.

 

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: ClearPass guest operator logins

Guys, 

 

 

I appreciate the LDAP server definition in clearpass guest and the LDAP translation rules for Operator logins for LDAP group membership - but shouldn't this kind of function be enabled in CPPM?

 

Sorry if I have missed something

 

thanks

 

nik

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: ClearPass guest operator logins

[ Edited ]

You can return a role name from CPPM to CPG but you still need to map the expression in CPG. 

 

For example, we are returning a student role from CPPM using our campus single sign on system for authentication and LDAP for authorization.

 

We're sending the attribute admin_privileges with a value of CPG-Brandeis-Student which assigns the operator profile of Brandeis Student. CPPM has no concept of an operator profile which is why it needs to be mapped.

 

cpg-brandeis-student.PNG

 

cpg-brandeis-student-sso.PNG

 

 

 

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: ClearPass guest operator logins

hi tim,

 

Did you copy the original [Guest Operator Logins] service and edit it?

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: ClearPass guest operator logins

No, I created everything from scratch since the CPPM configuration for SAML/SSO is a bit different.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: ClearPass guest operator logins

cool - so CPPM > match DB > TIPS role map  > SSO role attribute value > CPG translattion map based on attibute > CPG role

 

sound right? (I still have more questions - thanks a mill BTW)

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: ClearPass guest operator logins

Tim,

 

Finally got it (after some troubleshooting and quite office time)

 

you are completely correct - and thanks very much for your help - this is not the first time you have helped me out so it's much appreciated

 

you seem to have well and truly earned that MVP status!

 

all the best

nik

Guru Elite
Posts: 7,837
Registered: ‎09-08-2010

Re: ClearPass guest operator logins

Sorry for the delay! Glad you got it working!


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: