Security

Here's the deal - I am working on a migration from two old-homebrew guest sponsor systems. And I ran into this goofy situation where I have a group of Guest sponsors/operator with access to both systems.  On both systems they authenticate with their AD credentials.  They can create guest accounts on both systems and its all good because they are two different systems for different reasons.  One is a restricted guest system and the other is the normal guest system, etc.  

Now we want to consolidate these disparate systems into ClearPass.  The problem is that they do have legitimate reasons for creating two different types of accounts.  So this same group of users needs to be able to create accounts for the restricted use case and this means they need be part of a special group (operator role in CPPM).  But they also need to be able to sponsor regular guest accounts as individuals.   And they would like to be able to authenticate with their AD accounts in both cases.  

I think this maybe possible with Clearpass by creating two sets of sponsor user roles (sponsor_A & sponsor_B) and then creating two separate operator profiles on CPG.  

But the question I am stuck with is... "If this sponsor logs in to the sponsor portal with his/her AD account. How can I determine when s/he needs to be placed in role "A" when they want to sponsor users as part of this special user group?  And how can I determine when s/he needs to be placed in role "B" to sponsor guests as an individual?"  

Has anyone out there run into this sort of requirement?  I am not a AAA/NAC expert so I am hoping there is something obvious that I am missing here.  Any help/guidance is greatly appreciated!!! 

Hi Tim - this sponsor needs to be able to selectively login to the operator login page and assume one of two possible roles each is tied to different operator profile so we can apply different access privileges. The possible roles would be something like:

"Sponsor_A" - he and other members of this special group would be able to see any accounts any of them create. 

"Sponsor_B" - he would be treated like any generic guest sponsor in clearpass.

But how could I devire role A or role B for the same user in clearpass?

The only way I can think of would be to have the user append something to their username.

For example:

Role 1

User would use username:  username@role1

Role 2

User would use username:  username@role2

You can then write policy that says:

Full-Username    CONTAINS   @role1

AND

Authorization:AD    Groups     EQUAL   priv-group

Then return the correct operator profile.

Thanks Tim that makes perfect sense.  I guess in my case I would only ask them to append something to their user name if they want to sponsor accounts in that special group.  Or else they just get the generic sponsor portal just like any one else.  

I guess I can also strip the "@role1" from the name before I authenticatethem against LDAP/AD.   I will give that a try.  Thanks for the quick reply