05-26-2015 04:59 PM
I am trying to find out how to stop a guest from self-sponsoring and allowing themselves access to the guest network without an internal employee. I have found, during testing, that if the guest were to do the following they actually get to validate and approve themselves on the guest network when self registration and sponsoring is used:
1. Create an account using the self registration page.
2. Fill in the sponsor email as an email they have access to. (Please note that our smtp server has not locked the ClearPass server to send to local email address, therefore CPPM can send emails to external addresses - smtp server has very limited features and connot enforce such policy)
3. User then somehow types the same URL on their PC that they are attempting to authenticate with and manages to reach the URL because we have a SourceNat policy to allow the guests to reach the CCPM server for authentication purposes during logon.
4. User then hits the confirm button and is now authenticated and approved to use the guest system.
Is there any way we can stop this from happening using clearpass policy?
As mentioned earlier, the smtp server being used has limited functionality and does not support restricting smtp relay access according to destination emails.
Solved! Go to Solution.
05-26-2015 05:01 PM
Unfortunately there are only two options:
1) Restrict your corporate email domain for the username/email field (can't stop them from using their personal email).
2) Block users who have connected to your secure network from connecting to the guest network (using custom attributes).
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP