Security

Reply
MVP
Posts: 702
Registered: ‎03-25-2009

ClearPass - using different role mappings & role id

[ Edited ]

So I have a need to use 2 different "Guest Roles" role mappings.

 

I changed the default [guest roles] one to "My Roles1" through the /guest plugin manager. This works fine.

Now however I need another role mapping "My Roles2" which I should be able to use in as the role-id in self-registration portals and other captive portals.

 

I suppose I need to create my own version of the role-id field for this? What is a bit beyond me is how I can tie my own "My Roles2" role mapping into this. I'm guessing I can't simply use the same options generator in that field?

 

Has anyone done this before or am I going the wrong way about this?

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ClearPass - using different role mappings & role id

What are you trying to do?  You can only have one role map per service.  Keep in mind that an authentication can derive to multiple roles.  You should select evaluate all for that to occur.  In that instance, you can then say in the enforcement profile if MyRole1 AND MyRole2 exist, then the intended action.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 702
Registered: ‎03-25-2009

Re: ClearPass - using different role mappings & role id

[ Edited ]

I'm simply trying to have 2 different self-registration portals that use 2 different role mappings.

 

For example

Self-reg portal 1: captain - lieutenant - cannon fodder

Self-reg portal 2: employee - contractor - guest 

 

Problem is I don't want to show the roles from portal 1 to users from portal 2 and vice versa.

I would need to be able to clearly identify/differentiate users from both portals in the same guest user database.

 

I am talking about the role mapping used when creating users though, not just the role mapping after authenticating.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 4,004
Registered: ‎07-20-2011

Re: ClearPass - using different role mappings & role id

See if this thread helps you out :

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Create-new-account-roles-on-ClearPass-Guest/m-p/84170/highlight/true#M864

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: ClearPass - using different role mappings & role id

Yes...that should help you out (link above).  But...you will need to create two self-reg pages with two services, CP profiles on the controller, two URLs, etc...

 

In each self-reg page, you will edit the form where the user selects the role and create the list there.  In terms of creating those roles, the thread above will help you

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 702
Registered: ‎03-25-2009

Re: ClearPass - using different role mappings & role id

that is creating more roles within the same role mapping.

I would prefer to be able to use 2 completely different role mappings if possible.

My problem is I have no idea how to point ! selfreg portal to use role mapping 1 where selfreg portal 2 uses role mapping 2.

 

I can only configure 1 role mapping that will be used by both selfreg portals though /guest > Administration » Plugin Manager > ClearPass Guest Services. So how do I get the role id in selfreg portal 2 to use a different role mapping?

 

I'm guessing I need to create a secone role id field but here I'm stuck as the default role id doesn't actualty reference a role mapping anywhere.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 4,004
Registered: ‎07-20-2011

Re: ClearPass - using different role mappings & role id

Once you create the self registration page and you create the role  it should pick it up automatically from the list of available user roles that you defined under the role mapping and enforcement :

 

Guest1

Guest2

Employee

Contractor

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 702
Registered: ‎03-25-2009

Re: ClearPass - using different role mappings & role id

It does that for 1 role mapping yes from what you configured in  /guest > Administration » Plugin Manager > ClearPass Guest.

I need it to use another role mapping.

 

OIr did I misunderstand you?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 4,004
Registered: ‎07-20-2011

Re: ClearPass - using different role mappings & role id

[ Edited ]

 

That's correct.

 

Its kind of what you do with the controller, you configure and then you decide what role will use based on what you define in the enforcement

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 702
Registered: ‎03-25-2009

Re: ClearPass - using different role mappings & role id

And that part I get but is not what I want to achieve..

! selfreg portal needs to have another set of roles that the user can subscribe to than the other.

Per default [Guest Roles] is the rolemapping used for this. 

This mapping goes as follows:

(GuestUser:[Role ID] EQUALS 1) [Contractor]
(GuestUser:[Role ID] EQUALS 2) [Guest]
(GuestUser:[Role ID] EQUALS 3) [Employee]

 

So selfreg users can 'choose' one of those 3 roles. The Role ID field will look at  /guest > Administration » Plugin Manager > ClearPass Guest. to know it needs to map the values in the Role ID field with those names.

 

 

My idea was to use that role mapping for one service and the mapping below for a different service and keep them completely seperated. 

 

[My Roles] is mapped as follows:

(GuestUser:[Role ID] EQUALS 1) captain 
(GuestUser:[Role ID] EQUALS 2) lieutenant 
(GuestUser:[Role ID] EQUALS 3) cannon fodder 

 

The problem is that the Role ID field always looks at what is configured in  /guest > Administration » Plugin Manager > ClearPass Guest and I was hoping there was a way to copy the Role ID field and have it points to My Roles rolemapping.

 

 

I guess I won't be able to do that and will have to use a single rolemapping which has all 6 roles and then limit the values that can be selected from this rolemapping per service used with the validator arguments or something.

 

(GuestUser:[Role ID] EQUALS 1) [Contractor]

(GuestUser:[Role ID] EQUALS 2) [Guest]
(GuestUser:[Role ID] EQUALS 3) [Employee]

 

(GuestUser:[Role ID] EQUALS 4) captain 

(GuestUser:[Role ID] EQUALS 5) lieutenant 
(GuestUser:[Role ID] EQUALS 6) cannon fodder 

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: