Security

Hello!

 

I'll explain the scenario first.

 

A customer I'm working with wants their Clearpass system registration page to have a drop down menu, where the guest can select a role type (e.g. 1 hour access, 1 day access etc). The role selected should then define (somewhere) that same associated expiry time for the account. This is in order to make it really simple for the guest to pick.

 

I've configured the registration page to show a drop down list of role types (and configured some roles), which works.

 

What I can't work out, is the slickest way to link a specific expiry time to each one of the role types.

 

The role types are...

 

Guest-1-hour, Guest-1-day, Guest-1-week etc.

 

Once I've got that bit sorted, we want to move on to limit the sponsors that can authorise the different role types. i.e. managers can authorise a year, reception can only authorise an hour (but I'll worry about that later).

 

Anybody done this before? Suggestions gratefully received!

Sorry no solution, but wanted to say that I'm really interested in this as well.   

 

We're looking to do something similar with Dropdowns stating something like "Conference Attendee", "Sporting Event" or something simlar on the account self-registration/creation page...   and then based on that, have it select the account lifetime.

 

If you figure this out, I would really like to know how you configured it.  

I haven't had the time but would really be interested in doing this.  Thanks.

 

---

@The.racking.monkey wrote:

Hello!

 

I'll explain the scenario first.

 

A customer I'm working with wants their Clearpass system registration page to have a drop down menu, where the guest can select a role type (e.g. 1 hour access, 1 day access etc). The role selected should then define (somewhere) that same associated expiry time for the account. This is in order to make it really simple for the guest to pick.

 

I've configured the registration page to show a drop down list of role types (and configured some roles), which works.

 

What I can't work out, is the slickest way to link a specific expiry time to each one of the role types.

 

The role types are...

 

Guest-1-hour, Guest-1-day, Guest-1-week etc.

 

Once I've got that bit sorted, we want to move on to limit the sponsors that can authorise the different role types. i.e. managers can authorise a year, reception can only authorise an hour (but I'll worry about that later).

 

Anybody done this before? Suggestions gratefully received!

---

Don't use roles.  Why don't you change the Expiry field  to visible in the guest registration form to a DropDown that selects three different times.  The sponsor can then accept/reject.  You would have to edit the sponsor email to pass that parameter along so that the sponsor would be informed of the expiry so that the sponsor can accept/reject.

 

While it is technically possible, logistically it might be awkward.  Allow the sponsor to approve for a minimum time and the guest user can send an email to have it extended.

 

Thanks for the initial suggestion!

 

The customer changed their mind about the way they think this should operate after I posted the first message, so...

 

It's probably helpful if you know the scenario. I'll keep it short...!

 

There are three groups of users that may act as sponsors (via group emails). Reception, Managers, and IT. What we want is for guests to only be able to request (on the page) 1 hour or day from reception, 1 hour, 1 day or 1 week from managers, and 1 hour, 1 day, 1 week or 1 year from IT. Ideally, if the guest selects for example 1 year, the options for selecting the sponsor should only accept the IT team. I'm envisaging three sponsor group radio buttons with validation error messages? We want radio buttons as we need to "mask" or alias where the emails are sent to (for security). I'm pretty sure I can setup the email destinations in the pages but god knows how yet??? Also, what would be perfect, is if the outcome of each registration pre-determined the role on the Clearpass (because the different lifecycles of users will also determine firewall policies on the controllers (which might vary later).

 

Anybody got any tips for how I could set the page up? We only really want one page if possible, not lots. Validator arguments and options I should focus on would be great to get me going?

"Also, what would be perfect, is if the outcome of each registration pre-determined the role on the Clearpass (because the different lifecycles of users will also determine firewall policies on the controllers (which might vary later)."

 

I don't think you can do this dynamically from a registration perspective without user selection, but you can force the sponsor to select the user role when approving the account and restrict sponsors/operators from setting certain roles. This is configurable under the "Actions" option of your self-registration profile where you can set the role override to "prompt". If you also force operator authentication, you can restrict role access for the sponsor based on what operator profile they are assigned.

For example, if the sponsor/operator is a reception user, they only have access to set the 1 hour user-role for instance.

Its important to remember though that this would only provide your role assignment from a security/firewalling perspective and not directly related to their expiration time.

 

To deal with the expiration time and validation of sponsor email, you can format your instance of the sponsor email field, if that is the one you are using, to be of type "Radio Buttons" and use options generator of "Use Options". You can then input a custom list of key | value pairs for user selection. However, to validate which sponsor group is chosen based on the expiration_after field, you will need to write a custom validator argument I'd imagine.

 

Hope this is of some help ;-)

 

 

I understand what everyone is doing and it looks like we're getting close on The.racking.monkey's issue, but does anyone have any suggestions for this other method of using Dropdowns stating something like "Conference Attendee", "Sporting Event" or something simlar on the account self-registration/creation page...   and then based on that, have it select the account lifetime.  I did look at roles, but, as iAruba seemed to verify, I couldn't set it with any type of IF/THEN statement.

 

I can likely do it by changing the default "Expiration Options" text in the main Guest Manager section.  For example Change"24 | 1 day" to something like "24 | Campus Visit" or "12 | Sporting Event", however, I have multiple login forms that I wll not use this type of scenerio on, and don't want to mess those up.

 

Are there any other suggestions to base that expiry field on either the Role or just the options from a made up drop down list? Or is what I described in Paragraph 2 the only way to accomplish this?  If so, can you have duplicate values in that "Expiration Options" section, like 24 | Campus Visit and 24 | BlaBla together?

 

Any help with this one would be greatly appreciated.

Let's look at the flow:

 

Sponsorship puts people in touch with others who might know them or know of them for authorization.  Having a user request access for a year directly to people in IT breaks this model.  How about this:

 

Give the user basic access for an hour automatically, and have the sponsor or receptionist be able to extend that access or expand that access to a day or so using the Extend Expiration Option inline.  Anybody who needs a year of access, that should require an email from a company representative to IT to grant that.  The user will get an email detailing the extension.

 

I agree with using the expiration drop down field, as you can still reflect the group naming principles using a custom list.

But on the email front, you should be able to use IF...THEN statements to prefix an email address based on user selection. You would have to define a static email address though as these statement are form related rather than logically useful.

In addition, if you still wanted the appearance of groups from a user management perspective, you can use the same IF...THEN scenario to prefix the group based on user selection.

This all said, I would need to lab it first to guarantee a solution.

Just had a look and it doesn't look like you can set fields with IF...THEN statements.

Your other option though would be to use a dummy landing page that gives you the three options to register for, and each one takes the user to a different form with different sponsor emails and role-ids pre configured.

In reply to ShawnShoe, if you edit the expire_after field on your registration form, you can change the options generator from the Guest Manager predefined options list referred to as above to a set of key | value pairs.

Oh Geez.. I completely mis-understood what you meant before.  I've got it now, and its working perfectly.  Thank You.  On to the Next...

Hello all (on this thread).

 

After further dialogue with this particular customer, we went with the option of using an initial landing page, which jumps off to a number of others (contractors, guests, staff etc).

 

Each jump off page has a role_id in the fields, which is tied to the associated registration type (I also set expiry times differently in each page).

 

Ultimately, we actually found this works much better in terms of slickness for uncontrolled people!

 

 

Hi all,
I do have a similar request from my user too.

When guest registers an account, the sponsor will receive the guest confirmation request. User will select 2 types of role, user+1 day or user+1 year. Based on the role, clearpass will determine the expiration date without sponsor to manually extend the expiration thru a drop-down list etc.

As the user does not get the opportunity to choose the role, I can't set different landing pages for different roles.
Understand the last post is 2-3 years old but I am wondering if it is possible to do it now.
Thanks.

Regards,
Victor

Victor: If I understand your request correct it is the guest that should be able to choose 1day or 1year right?  Why not simply make the Expiry field visible, change it to dropdown and give him the options 1 day and 1 year through that?

 

What I don't get is why you would want this.. won't every guest pick the 1 year account per default? I would when given the option. 

 

Hi Koen,

Apologies. I didn't express what I intended well enough :)

The guest will not be selecting his role. The sponsor will select the role for the user. Based on the role assigned, the guest account will be either 1 month or 1 year. User will only need to select the role and the guest will be assigned the appropriate expiry date.

Thanks.

Regards,
Victor

Hi all,

Anyone has any idea how this could be done?

Thanks.

Regards,
Victor