Security

Reply
Super Contributor II

Clearpass onboard - Capture user email directly

Hi All,

 

I am implementing Onboard for an education client and have come across a potential new feature request but wanted to put it out there first in case there is already a way to do this.

 

We want to use the email reminder feature to notify users their enrolment is going to expire, the issue is that the directory we are querying doesn't always have the email address field populated. In addition to this, the email addresses are the student email addresses issued by the organisation and we'd like to be able to prompt the user for their current email so that we can ensure they are reachable. The emails provided by the institution are not always used by the students.

 

I looked at the web login settings but it seems there is no simple way to add a field asking for email address. Is there any way this can be acheived?

 

Scott

Aruba

Re: Clearpass onboard - Capture user email directly

Scott,

One issue is that CPPM will not write to the AD or LADP and currently I believe the email lookup is dependent on the AD integration to pull the email address. (Ive asked engineering to confirm)

 

 

I've ran into this before at another customer and they had a restriction put in place where the student couldn't onboard (restriction in onboard authorization ) a device unless they had an email address in AD.

 

Screen Shot 2014-06-30 at 10.15.39 PM.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II

Re: Clearpass onboard - Capture user email directly

Thanks for the quick response Troy.

 

Even if the attribute isn't written into LDAP it would be great if it could be stored as an endpoint attribute that could be queried when sending the expiry notification emails.

 

Scott

Aruba

Re: Clearpass onboard - Capture user email directly

That is the reason I asked engineering to confirm where we get the email from for the notifications. :) 

 

If its an endpoint attribute you could force users to a laning page to get the updated email and then allow them to onboard. I hope to have answer in the morning. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II

Re: Clearpass onboard - Capture user email directly

HI Troy,

 

Did you end up getting a response from engineering?

 

Scott

Aruba

Re: Clearpass onboard - Capture user email directly

Here is a note that I got back:

 

"There's different settings to determine the email address.  If the authentication is done with something that looks like an email address, that will be used to send the expiration warning, otherwise you have the options below to choose from:

 

Provisioning_Settings__Local_Device_Provisioning_.png

 

The last option, "Send a message to username@domain", assumes that the user provided just the "username" portion during the device enrollment, and the "domain" bit is supplied by the administrator in the "Unknown Domain" field.

 

IMO the easiest way to do this is to ensure that device enrollment is done based on email address and password - if that can't be done then the next best option is the username with a fixed domain."

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II

Re: Clearpass onboard - Capture user email directly

thanks for the follow up, that gives me some more options to work with.

 

i really appreciate your help as always

 

Scott

Regular Contributor I

Re: Clearpass onboard - Capture user email directly

It appears the email alert for certificate expiry is based on the user's email address being present in the certificate.  My user's login into the provision page with their AD credentials.  How would I then get their email address into the certificate that is created by the local clearpass CA?

Guru Elite

Re: Clearpass onboard - Capture user email directly

Their email isnt username@domain?


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Clearpass onboard - Capture user email directly

AD credentials are in a 4, 2, 1 format; i.e. John Smith = smitjo1 for AD and email would be john.smith@domain.com.  Looks like we may have smtp alias setup so smitjo1@domain.com may work.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: