Security

Reply
Occasional Contributor I

Clearpass Guest operator login with ldap

Hi.

 

I'd like my end users to be able to log on as a clearPass guest operator and create guest users.

 

If i log in to https://server/tips/ as a ldap user I get the correct role, and if I change the url afer logging in to /guest, everything works as it should.

 

But if i try to log in to https://server/tips/ directly it fails.

 

The Access Tracker reports login status accepted, but the webpage reports invalid username or password.

Re: Clearpass Guest operator login with ldap

Do you mean you can't login into https://CLEARPASSIP/guest/ ?

 

You should use /guest/ for guest operators. In order for this authentication to work, you need to make sure you have the correct Service in place in Policy Manager. Out-of-the-box there is a Service named "[Guest Operator Logins]".

 

Do you see authentication requests for this Service (or similar Service if you have copied it)?


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Occasional Contributor I

Re: Clearpass Guest operator login with ldap

Sorry.

Yes it's https://CLEARPASSIP/guest/ where I can't login.

 

I copied the [guest operat logins] and created a service called copy_of_[guest operator logins] 

And when I try to login in this show up in the access tracker (se attachement)

Re: Clearpass Guest operator login with ldap

Do you have PAP enabled ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: Clearpass Guest operator login with ldap

And where can I check if PAP is enabled?

Aruba

Re: Clearpass Guest operator login with ldap

What does your Alerts tab say?  Can you export that Access Tracker entry and attach?

 

You'll need to make sure the enforcement profile has a mapping that will set the admin_privelegs attribute with a value that is then mapped on the Guest Operator Translation Rules.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba

Re: Clearpass Guest operator login with ldap


branngubbe wrote:

And where can I check if PAP is enabled?


Under CP Guest

 

Configuration --> Authentication --> Internal Auth Type

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Re: Clearpass Guest operator login with ldap

2014-10-27 09_57_10-ClearPass Policy Manager - Aruba Networks.png

2014-10-27 09_57_23-ClearPass Policy Manager - Aruba Networks.png

 

2014-10-27 09_57_38-ClearPass Policy Manager - Aruba Networks.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: Clearpass Guest operator login with ldap

Hi

Thanks for all the help!

 

First of all: PAP was enabled.

Second: The alarm was related to the use of LDAP over SSL and Failed to verify server certs. I didn't really think that it had anything to do with this, but to get rid of the alert I changed the ldap settings back to clear-text ldap.

 

And then for the good news: I got it to work by adding multiple profiles witch sets the admin_priviliges to the correct role based on the memberof attribute from AD.

So mission accomplished.

 

But whats bugging me is, why doesn't memberof work with the operator translation rules in CP Guest? It seems so easy, but it just doesn't work...

Occasional Contributor I

Re: Clearpass Guest operator login with ldap

SNAG-0013.jpg

 

SNAG-0014.jpg

SNAG-0015.jpg

 

A couple more screen shots just to help others that may have the same problem.

Or perhaps you can suggest some settings that could make this even better?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: