Security

Reply
Super Contributor II

Clearpass guest ESSID

I need to setup guest authorisation based on the ESSID that the guest signed up via, so I need to check the ESSID value that is stored in the ESSID field of the guest user repository. I can't see this option in the drop down box after selecting Authorization[guest user repository] on the role mapping page. Am I looking in the wrong place?

Re: Clearpass guest ESSID

You would do this via the service for guest auth.  It should be RADIUS:Aruba --> Aruba-ESSID-Name --> EQUALS --> Value

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Super Contributor II

Re: Clearpass guest ESSID

Seth,

    This wont work in my situation, I need to check the ESSID that is stored as part of the guest user account - I dont want to grant access via a connection on SSID "A" unless the account was created on SSID "A". The same guest connecting to SSID "B" needs to create a new account with ESSID "B" stored against the account, hence I need to check after the service has been matched.

Guru Elite

Re: Clearpass guest ESSID

You would need to write a custom attribute to the endpoint database when the user web authenticates.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor II

Re: Clearpass guest ESSID

Sounds tricky, any help on how to do this would be appreciated.

Re: Clearpass guest ESSID

not tricky at all :)

 

if you create a endpoint or user you can add attribute, you can check on these during the policy evaluation in the enforcement.

 

what is the part you are unsure of?

MVP

Re: Clearpass guest ESSID

MattF, somewhat old thread. Did you figure out a way to do this?


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Super Contributor II

Re: Clearpass guest ESSID

Sorry I missed the last reply. Adding an attribute must be done manually, yes? we may have thousands of guest usesrs signing-up so this is not an option. I'm unsure of how to write a custom attribute to the database.

MVP

Re: Clearpass guest ESSID

No, you don't set it automagically. I haven't really gone through this in detail, but there should be several ways to get this done.

 

You can add an attribute in the registration form. Test for the value of this attribute during authentication.

 

OR  you add the attribute after first authentication. Check how the Enf profile "Guest MAC Caching" adds attributes to the Endpoint. Here you can for example use Source (which is the name of the registration page).

 

 


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: