Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎04-18-2013

Clearpass guest 6.x ldap authentication

[ Edited ]

Dear Everybody,

 

I need some help in Clearpass guest receptionist authentication.

We have clearpass 6.2 with guest modul. In the guest module We customized guest receptionists page. I created a profile for them and configurated a traslation rule. In CPPM We created a same role (in configuration->Identity->Roles) and We created a new local user with this role. This is work perfectly (when We login this user we get the custumized recepcionist page).

 

But We would like to authenticate via LDAP and not local user, but I have some problem with it.

 

I set the authentication source but I dont know what next. I guess I have to set a services but I dont know how?

Can you help me what are the next steps to configurate the guest recepcionist authentication via ldap.

 

Thank you in advance for your reply.

 

Best regards

 

D

Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Clearpass guest 6.x ldap authentication

1. Create your Authentication Source (sounds like you have this bit covered). But if not, create this under Configuration -> Authentication -> Sources.

2. Create an Enforcement Profile under Configuration -> Enforcement -> Profiles. This is where you tell Guest which Operator Profile to assign to the authenticated user. Create one of type Generic Application Enforcement, with an Action of Accept, and add an attribute of admin_privileges = "Your Operator Profile". This should have a matching entry in Guest under Administration -> Operator Logins -> Translation Rules. A screenshot is attached as an example.

3. Create an Enforcement Policy under Configuration -> Enforcement -> Policies. This is where you match on some information passed from your Authentication Source to accept or deny access in it's simplest form. Create one of type Application, assign a Default Profile, e.g. [Deny Application Access Profile], set a rule to match your Authentication Source attributes that will in turn, set your Enforcement Profile created in step 2. For example, you may set a rule that looks for both Tips:Role EQUALS [User Authenticated] AND Authorization:"Your Authentication Source":memberOf CONTAINS CN=groupname,OU=orgunit,DC=company,DC=com. This would look for a particular group membership in an Active Directory source for instance.

4. Create a new service of type Aruba Application Authentication.

5. Create two service rules;

5a. Application - Name - EQUALS - Guest

5b. Authentication - Type - NOT_EQUALS - SSO

6. Under the Authentication tab, select the Authentication Source created in step 1.

7. Under the Enforcement tab, select the Enforcement Policy created in step 3.

 

That should be all.

Any amount of Kudos will be greatly appreciated!!!
Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Clearpass guest 6.x ldap authentication

Image attached this time ;-)

 

Screen Shot 2014-05-13 at 20.59.12.png

Any amount of Kudos will be greatly appreciated!!!
Occasional Contributor II
Posts: 11
Registered: ‎04-18-2013

Re: Clearpass guest 6.x ldap authentication

Thank you for the super fast answer! :)

I will try it.

The translation rule is the same.

Occasional Contributor II
Posts: 11
Registered: ‎04-18-2013

Re: Clearpass guest 6.x ldap authentication

I tried to configurate today but i have some problem with it. First i show you my settings.

 

In Enforcement profile - Attributes I cant find admin_privileges.

Can you check my settings? Are these settings good? (you can see my attachments)

 

I tried to authenticate to guest modul but I cant.

In access tracker:

tracker.PNG

 

Thank you in advance for your reply.

Best regards,

D

 

 

 

 

Occasional Contributor II
Posts: 11
Registered: ‎04-18-2013

Re: Clearpass guest 6.x ldap authentication

Hi,

 

Any idea?

 

Thanks!

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Clearpass guest 6.x ldap authentication

For guest operator login you need to setup your ldap on the guest side also.

 

Screen Shot 2014-05-15 at 10.39.30 AM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Clearpass guest 6.x ldap authentication

Although admin_privileges doesn't show up in the list, you can still add it as an attribute/value pair. Your error however, would suggest the user account you tested isn't valid?

 

Screen Shot 2014-05-15 at 17.06.36.png

 

#tarnold, I do not have an LDAP source configured in Operator Settings on Guest and it's working fine? I'm using 6.3.1, is this something new?

Any amount of Kudos will be greatly appreciated!!!
Occasional Contributor II
Posts: 11
Registered: ‎04-18-2013

Re: Clearpass guest 6.x ldap authentication

Thanks for your help!

 

All two solution are work perfectly (in guest modul with server and translation rules, and cppm with enforcement profile).

 

Which is the preferred or what are the differences between the two solution?

 

I have a strange problem:

I can authenticate perfectly via ldap to the guest modul with both methods too. I get the right profile (it, help desk, recept.) according to ldap group.

 

But I check it in access tracker and I saw the next:

access_tracker.PNG

 

Any idea?

 

Thanks!

 

Airheads the best :).

Occasional Contributor II
Posts: 12
Registered: ‎09-22-2016

Re: Clearpass guest 6.x ldap authentication

Thank you so much! It is not easy to configure and undocumented by Aruba. I have spent the last two day trying to get it work unitl I found this post. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: