Security

Dear Everybody,

I need some help in Clearpass guest receptionist authentication.

We have clearpass 6.2 with guest modul. In the guest module We customized guest receptionists page. I created a profile for them and configurated a traslation rule. In CPPM We created a same role (in configuration->Identity->Roles) and We created a new local user with this role. This is work perfectly (when We login this user we get the custumized recepcionist page).

But We would like to authenticate via LDAP and not local user, but I have some problem with it.

I set the authentication source but I dont know what next. I guess I have to set a services but I dont know how?

Can you help me what are the next steps to configurate the guest recepcionist authentication via ldap.

Thank you in advance for your reply.

Best regards

D

1. Create your Authentication Source (sounds like you have this bit covered). But if not, create this under Configuration -> Authentication -> Sources.

2. Create an Enforcement Profile under Configuration -> Enforcement -> Profiles. This is where you tell Guest which Operator Profile to assign to the authenticated user. Create one of type Generic Application Enforcement, with an Action of Accept, and add an attribute of admin_privileges = "Your Operator Profile". This should have a matching entry in Guest under Administration -> Operator Logins -> Translation Rules. A screenshot is attached as an example.

3. Create an Enforcement Policy under Configuration -> Enforcement -> Policies. This is where you match on some information passed from your Authentication Source to accept or deny access in it's simplest form. Create one of type Application, assign a Default Profile, e.g. [Deny Application Access Profile], set a rule to match your Authentication Source attributes that will in turn, set your Enforcement Profile created in step 2. For example, you may set a rule that looks for both Tips:Role EQUALS [User Authenticated] AND Authorization:"Your Authentication Source":memberOf CONTAINS CN=groupname,OU=orgunit,DC=company,DC=com. This would look for a particular group membership in an Active Directory source for instance.

4. Create a new service of type Aruba Application Authentication.

5. Create two service rules;

5a. Application - Name - EQUALS - Guest

5b. Authentication - Type - NOT_EQUALS - SSO

6. Under the Authentication tab, select the Authentication Source created in step 1.

7. Under the Enforcement tab, select the Enforcement Policy created in step 3.

That should be all.

Image attached this time ;-)

Thank you for the super fast answer! :)

I will try it.

The translation rule is the same.

I tried to configurate today but i have some problem with it. First i show you my settings.

In Enforcement profile - Attributes I cant find admin_privileges.

Can you check my settings? Are these settings good? (you can see my attachments)

I tried to authenticate to guest modul but I cant.

In access tracker:

Thank you in advance for your reply.

Best regards,

D

Hi,

Any idea?

Thanks!

For guest operator login you need to setup your ldap on the guest side also.

Although admin_privileges doesn't show up in the list, you can still add it as an attribute/value pair. Your error however, would suggest the user account you tested isn't valid?

#tarnold, I do not have an LDAP source configured in Operator Settings on Guest and it's working fine? I'm using 6.3.1, is this something new?

Thanks for your help!

All two solution are work perfectly (in guest modul with server and translation rules, and cppm with enforcement profile).

Which is the preferred or what are the differences between the two solution?

I have a strange problem:

I can authenticate perfectly via ldap to the guest modul with both methods too. I get the right profile (it, help desk, recept.) according to ldap group.

But I check it in access tracker and I saw the next:

Any idea?

Thanks!

Airheads the best :).

Thank you so much! It is not easy to configure and undocumented by Aruba. I have spent the last two day trying to get it work unitl I found this post.