Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Guest operator login with ldap

This thread has been viewed 14 times

  • 1.  Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 09:02 AM

    Hi.

     

    I'd like my end users to be able to log on as a clearPass guest operator and create guest users.

     

    If i log in to https://server/tips/ as a ldap user I get the correct role, and if I change the url afer logging in to /guest, everything works as it should.

     

    But if i try to log in to https://server/tips/ directly it fails.

     

    The Access Tracker reports login status accepted, but the webpage reports invalid username or password.



  • 2.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 09:27 AM

    Do you mean you can't login into https://CLEARPASSIP/guest/ ?

     

    You should use /guest/ for guest operators. In order for this authentication to work, you need to make sure you have the correct Service in place in Policy Manager. Out-of-the-box there is a Service named "[Guest Operator Logins]".

     

    Do you see authentication requests for this Service (or similar Service if you have copied it)?



  • 3.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 09:34 AM
      |   view attached

    Sorry.

    Yes it's https://CLEARPASSIP/guest/ where I can't login.

     

    I copied the [guest operat logins] and created a service called copy_of_[guest operator logins] 

    And when I try to login in this show up in the access tracker (se attachement)



  • 4.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 09:36 AM

    Do you have PAP enabled ?



  • 5.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 09:38 AM

    And where can I check if PAP is enabled?



  • 6.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 09:40 AM
    @branngubbe wrote:

    And where can I check if PAP is enabled?

    Under CP Guest

     

    Configuration --> Authentication --> Internal Auth Type



  • 7.  RE: Clearpass Guest operator login with ldap
    Best Answer

    Posted Oct 27, 2014 09:59 AM

    2014-10-27 09_57_10-ClearPass Policy Manager - Aruba Networks.png

    2014-10-27 09_57_23-ClearPass Policy Manager - Aruba Networks.png

     

    2014-10-27 09_57_38-ClearPass Policy Manager - Aruba Networks.png



  • 8.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 06:17 PM

    Hi

    Thanks for all the help!

     

    First of all: PAP was enabled.

    Second: The alarm was related to the use of LDAP over SSL and Failed to verify server certs. I didn't really think that it had anything to do with this, but to get rid of the alert I changed the ldap settings back to clear-text ldap.

     

    And then for the good news: I got it to work by adding multiple profiles witch sets the admin_priviliges to the correct role based on the memberof attribute from AD.

    So mission accomplished.

     

    But whats bugging me is, why doesn't memberof work with the operator translation rules in CP Guest? It seems so easy, but it just doesn't work...



  • 9.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 06:34 PM

    SNAG-0013.jpg

     

    SNAG-0014.jpg

    SNAG-0015.jpg

     

    A couple more screen shots just to help others that may have the same problem.

    Or perhaps you can suggest some settings that could make this even better?



  • 10.  RE: Clearpass Guest operator login with ldap

    Posted Oct 27, 2014 09:39 AM

    What does your Alerts tab say?  Can you export that Access Tracker entry and attach?

     

    You'll need to make sure the enforcement profile has a mapping that will set the admin_privelegs attribute with a value that is then mapped on the Guest Operator Translation Rules.