Security

Reply

Guest account generation - by user selecting a role type, which defines expiry.

Hello!

 

I'll explain the scenario first.

 

A customer I'm working with wants their Clearpass system registration page to have a drop down menu, where the guest can select a role type (e.g. 1 hour access, 1 day access etc). The role selected should then define (somewhere) that same associated expiry time for the account. This is in order to make it really simple for the guest to pick.

 

I've configured the registration page to show a drop down list of role types (and configured some roles), which works.

 

What I can't work out, is the slickest way to link a specific expiry time to each one of the role types.

 

The role types are...

 

Guest-1-hour, Guest-1-day, Guest-1-week etc.

 

Once I've got that bit sorted, we want to move on to limit the sponsors that can authorise the different role types. i.e. managers can authorise a year, reception can only authorise an hour (but I'll worry about that later).

 

Anybody done this before? Suggestions gratefully received!

Kudos appreciated, but I'm not hunting! (ACMX 104)
Frequent Contributor I

Re: Guest account generation - by user selecting a role type, which defines expiry.

Sorry no solution, but wanted to say that I'm really interested in this as well.   

 

We're looking to do something similar with Dropdowns stating something like "Conference Attendee", "Sporting Event" or something simlar on the account self-registration/creation page...   and then based on that, have it select the account lifetime.

 

If you figure this out, I would really like to know how you configured it.  

I haven't had the time but would really be interested in doing this.  Thanks.

 

Guru Elite

Re: Guest account generation - by user selecting a role type, which defines expiry.


The.racking.monkey wrote:

Hello!

 

I'll explain the scenario first.

 

A customer I'm working with wants their Clearpass system registration page to have a drop down menu, where the guest can select a role type (e.g. 1 hour access, 1 day access etc). The role selected should then define (somewhere) that same associated expiry time for the account. This is in order to make it really simple for the guest to pick.

 

I've configured the registration page to show a drop down list of role types (and configured some roles), which works.

 

What I can't work out, is the slickest way to link a specific expiry time to each one of the role types.

 

The role types are...

 

Guest-1-hour, Guest-1-day, Guest-1-week etc.

 

Once I've got that bit sorted, we want to move on to limit the sponsors that can authorise the different role types. i.e. managers can authorise a year, reception can only authorise an hour (but I'll worry about that later).

 

Anybody done this before? Suggestions gratefully received!


Don't use roles.  Why don't you change the Expiry field  to visible in the guest registration form to a DropDown that selects three different times.  The sponsor can then accept/reject.  You would have to edit the sponsor email to pass that parameter along so that the sponsor would be informed of the expiry so that the sponsor can accept/reject.

 

While it is technically possible, logistically it might be awkward.  Allow the sponsor to approve for a minimum time and the guest user can send an email to have it extended.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Guest account generation - by user selecting a role type, which defines expiry.

I agree with using the expiration drop down field, as you can still reflect the group naming principles using a custom list.

But on the email front, you should be able to use IF...THEN statements to prefix an email address based on user selection. You would have to define a static email address though as these statement are form related rather than logically useful.

In addition, if you still wanted the appearance of groups from a user management perspective, you can use the same IF...THEN scenario to prefix the group based on user selection.

This all said, I would need to lab it first to guarantee a solution.
Any amount of Kudos will be greatly appreciated!!!
Frequent Contributor I

Re: Guest account generation - by user selecting a role type, which defines expiry.

Just had a look and it doesn't look like you can set fields with IF...THEN statements.

Your other option though would be to use a dummy landing page that gives you the three options to register for, and each one takes the user to a different form with different sponsor emails and role-ids pre configured.
Any amount of Kudos will be greatly appreciated!!!

Re: Guest account generation - by user selecting a role type, which defines expiry.

Thanks for the initial suggestion!

 

The customer changed their mind about the way they think this should operate after I posted the first message, so...

 

It's probably helpful if you know the scenario. I'll keep it short...!

 

There are three groups of users that may act as sponsors (via group emails). Reception, Managers, and IT. What we want is for guests to only be able to request (on the page) 1 hour or day from reception, 1 hour, 1 day or 1 week from managers, and 1 hour, 1 day, 1 week or 1 year from IT. Ideally, if the guest selects for example 1 year, the options for selecting the sponsor should only accept the IT team. I'm envisaging three sponsor group radio buttons with validation error messages? We want radio buttons as we need to "mask" or alias where the emails are sent to (for security). I'm pretty sure I can setup the email destinations in the pages but god knows how yet??? Also, what would be perfect, is if the outcome of each registration pre-determined the role on the Clearpass (because the different lifecycles of users will also determine firewall policies on the controllers (which might vary later).

 

Anybody got any tips for how I could set the page up? We only really want one page if possible, not lots. Validator arguments and options I should focus on would be great to get me going?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Frequent Contributor I

Re: Guest account generation - by user selecting a role type, which defines expiry.

"Also, what would be perfect, is if the outcome of each registration pre-determined the role on the Clearpass (because the different lifecycles of users will also determine firewall policies on the controllers (which might vary later)."

 

I don't think you can do this dynamically from a registration perspective without user selection, but you can force the sponsor to select the user role when approving the account and restrict sponsors/operators from setting certain roles. This is configurable under the "Actions" option of your self-registration profile where you can set the role override to "prompt". If you also force operator authentication, you can restrict role access for the sponsor based on what operator profile they are assigned.

For example, if the sponsor/operator is a reception user, they only have access to set the 1 hour user-role for instance.

Its important to remember though that this would only provide your role assignment from a security/firewalling perspective and not directly related to their expiration time.

 

To deal with the expiration time and validation of sponsor email, you can format your instance of the sponsor email field, if that is the one you are using, to be of type "Radio Buttons" and use options generator of "Use Options". You can then input a custom list of key | value pairs for user selection. However, to validate which sponsor group is chosen based on the expiration_after field, you will need to write a custom validator argument I'd imagine.

 

Hope this is of some help ;-)

 

 

Any amount of Kudos will be greatly appreciated!!!
Frequent Contributor I

Re: Guest account generation - by user selecting a role type, which defines expiry.

I understand what everyone is doing and it looks like we're getting close on The.racking.monkey's issue, but does anyone have any suggestions for this other method of using Dropdowns stating something like "Conference Attendee", "Sporting Event" or something simlar on the account self-registration/creation page...   and then based on that, have it select the account lifetime.  I did look at roles, but, as iAruba seemed to verify, I couldn't set it with any type of IF/THEN statement.

 

I can likely do it by changing the default "Expiration Options" text in the main Guest Manager section.  For example Change"24 | 1 day" to something like "24 | Campus Visit" or "12 | Sporting Event", however, I have multiple login forms that I wll not use this type of scenerio on, and don't want to mess those up.

 

Are there any other suggestions to base that expiry field on either the Role or just the options from a made up drop down list? Or is what I described in Paragraph 2 the only way to accomplish this?  If so, can you have duplicate values in that "Expiration Options" section, like 24 | Campus Visit and 24 | BlaBla together?

 

Any help with this one would be greatly appreciated.

Guru Elite

Re: Guest account generation - by user selecting a role type, which defines expiry.

Let's look at the flow:

 

Sponsorship puts people in touch with others who might know them or know of them for authorization.  Having a user request access for a year directly to people in IT breaks this model.  How about this:

 

Give the user basic access for an hour automatically, and have the sponsor or receptionist be able to extend that access or expand that access to a day or so using the Extend Expiration Option inline.  Anybody who needs a year of access, that should require an email from a company representative to IT to grant that.  The user will get an email detailing the extension.

 

spnsorship.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: Guest account generation - by user selecting a role type, which defines expiry.

In reply to ShawnShoe, if you edit the expire_after field on your registration form, you can change the options generator from the Guest Manager predefined options list referred to as above to a set of key | value pairs.
Any amount of Kudos will be greatly appreciated!!!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: