08-14-2013 06:24 AM
I have an LDAP server specified with translation rules for operator logins, keying off memberOf contains for various AD groups and that all works. Users log in and get the correct role in Guest. However, in CPPM access tracker, all the requests show as rejected for the service "Guest Operator Logins". Users are indeed able to log in. The Guest Operator Logins service cannot be edited. This is running CPPM 184.108.40.206567
Solved! Go to Solution.
03-03-2014 11:13 PM
I appreciate the LDAP server definition in clearpass guest and the LDAP translation rules for Operator logins for LDAP group membership - but shouldn't this kind of function be enabled in CPPM?
Sorry if I have missed something
03-04-2014 03:52 AM - edited 03-04-2014 03:53 AM
You can return a role name from CPPM to CPG but you still need to map the expression in CPG.
For example, we are returning a student role from CPPM using our campus single sign on system for authentication and LDAP for authorization.
We're sending the attribute admin_privileges with a value of CPG-Brandeis-Student which assigns the operator profile of Brandeis Student. CPPM has no concept of an operator profile which is why it needs to be mapped.
03-04-2014 06:27 AM
No, I created everything from scratch since the CPPM configuration for SAML/SSO is a bit different.
03-04-2014 06:42 AM
cool - so CPPM > match DB > TIPS role map > SSO role attribute value > CPG translattion map based on attibute > CPG role
sound right? (I still have more questions - thanks a mill BTW)
03-04-2014 10:34 AM
Finally got it (after some troubleshooting and quite office time)
you are completely correct - and thanks very much for your help - this is not the first time you have helped me out so it's much appreciated
you seem to have well and truly earned that MVP status!
all the best