Security

Reply
MVP
Posts: 85
Registered: ‎03-09-2015

Guest; Captive Portal; sponsor approval architecture

If I want CPPM to offer Guest as per following architecture/topology,

1. Visitors - Self registration, input in a field the email address of the sponsor from organisation they are visiting.. need a sponsor to approve before authenticated.

2. Contractors - Self registration, input in a field the email address of the sponsor from organisation they are visiting, and additionally, perhaps tick a checkbox to denote 'contractor' ... need a sponsor to approve and additionally vet whether really is a contractor obviously.

Pending sponsor approval for each scenario 1. and 2. different VLAN enforcement profile.

 

Can a 'sponsor approval' architecture be employed per se in the way it is depicted above ?

Such that sponsor receives an email when someone attempts to self-register and complete form.  They are denoted as an Operator in CPPM and then go in to approve access ?

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Guest; Captive Portal; sponsor approval architecture

For #2 it would be easier if you have two links on the main redirect
1. Guest
2. Contractors

I would suggest working with a Partner or Professional Service on the deployment. It is not as simple and click and go. You are going to need to have AD integration setup in guest and sponsor profiles setup in the guest side of CPPM.

Essentially you can do what you are looking for will a few design changes but it will take a minimum Advance Clearpass Training to know how to set it up.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 85
Registered: ‎03-09-2015

Re: Guest; Captive Portal; sponsor approval architecture

The additional 2 x HTTP landing pages makes sense.

But it's more the Guest Access Management Processes.. (referencing the 'ClearPass_Guest_User_Guide_6.6 at that also...).

It references 2 x fundamental distinct methods.

- Sponsored Guest Access

- Self Provisioned Guest Access

Yet, in a CPPM Guest presentation I had given to me by Aruba in my region, this slide insinuates there's  a blend between the two..

 

Automated Guest Self-Service.png

 

There's the Self Service part of provisioning one's information. 

Then the sponsor/operator part to confirm that guest is valid.

Then the enablement via the sponsor/operator clicking 'confirm'.

 

That above workflow depicted in the slide I literally need.

Coupled with the additional HTTP redirect for 'guest' vs 'contractor'.

Aruba
Posts: 1,548
Registered: ‎06-12-2012

Re: Guest; Captive Portal; sponsor approval architecture

I understand that, but all that slide shows is the work flow of Sponsored Access. Maybe its me but I dont see how it references both.

Like I stated before you can do what you are looking for but you would need to make a initial landing page and let the guest click the link to the proper provisioning page. CPPM does Not natively have an option to chose you are a contractor by checking a box.

You could do it with the API and custom HTML coding. The option I'm giving you is something that could be done without custom HTML coding. You will still need to setup AD integration for sponsors to log in and approve guest and setup custom roles for them to have access based on a AD group.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 85
Registered: ‎03-09-2015

Re: Guest; Captive Portal; sponsor approval architecture

Do away with the checkbox. Two different links for the two different competencies is fine.

And yes, the AD backhaul is implicit for the sponsors/operators to approve.

 

Sorry .. the Sponsored Guest Access detail in the Guest User Guide for CPPM 6.6 mentions 'operators/sponsors PROVISIONING guest accounts.. emailing/SMS'ing the receipt, etc'.. not simply APPROVING guest particulars that the guests enter.  Hence my confusion.

 

As per below.

 

Sponsored Guest Access.png

 

If this is purely the Sponsored Access method and no flavour/element of Self-Provisioning.. then that is what it will be.

New Contributor
Posts: 2
Registered: ‎02-10-2017

Re: Guest; Captive Portal; sponsor approval architecturenable option to override guest user’s role e

New Contributor
Posts: 2
Registered: ‎02-10-2017

enable option to override guest user’s role when sponsor confirms the account in Clearpass

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-enable-option-to-override-guest-user-s-role-when-sponsor/ta-p/234588

 

By following the above steps the sponsor will assign a desired role to a guest user and soon after the guest authenticates  against clearpass, In the access tracker we can have those attributes with role name so we can   impliment and enforce the policy's by sending the required roles to the controller to give him access

Search Airheads
Showing results for 
Search instead for 
Did you mean: