Security

Hi Guys,

I have a working guest portal (with access-code) in clear pass guest - and it's working fine in front of a controller with mac caching.

how do i enable the controller to get two diffrent roles (beacause i have users with guest role in cppm and some user with contractor role) .

 

how do i enable clearpass guest to send 2 diffrent roles to the controller - please advise.

 

Thanks,

 

Me

Not sure I understand your problem.

 

You can return different user-roles by using different enforcement profiles.

If you are asking about how to make the distinction.. just make sure the contractors have a different role id and use that to sent them the different enforcement profile?

When you are authenticating guests in CPPM in your enforcement policy you can return the Aruba Radius Attribute "Aruba-User-Role" that will override the default guest role in the controller.  The question is, under what circumstances do you want to return one role, or another...?

i got username: X1 with guest role in the clearpass (i built a guest user role also on the controller)

and i got username Y1 with contractor role in the clearpass ( i built a contractor user role also on the controller)

 

(in the L3 profile on the controller its guest after captive portal)

 

both of them passing the same captive portal.

 

can u please send me screenshot/example/guide how to configure the right enforcment profile as needed to achive my need.

 

Thanks..

But i want that if Contractor role then ROLE-A on controller

and if Guest role then ROLE-B on the controller.

 

And your screenshot is -  how to send a role to the controller.

 

 

Assuming you are using the inbuilt Clearpass roles you just need to create an Enforcement Policy which maps the roles to the Enforcement profiles you create like shown by cjoseph:

 

Tips     Role     EQUALS     [Guest]           RADIUS-Guest_Enforcement_Profile

Tips     Role     EQUALS     [Contractor]   RADIUS-Contractor_Enforcement_Profile

 

This policy should be first match.

As long as the guest account has the correct Clearpass role the correct enforcement profile should trigger and this should set the correct Aruba controller role.

It is the job of the Enforcement Policy to determine what Enforcement Profile is sent to the controller.

 

Enforcement Policy=Use my information about incoming authentication to send an attribute to the controller

Enforcement Profile=That Attribute (in this case, a role).:

 

For a MAC caching authentication, I would use the RoleID number and not the TIPS role.

Hi Guys,

 

It's working great ...but when the user is coming back and there is a MAC cahcing ....its just dont get the right role (Guest .or. Premium) Based on the code he enter before he left the area.

 

Please advise.

 

Thanks.

 

Me

cappalli: ...when the user is coming back..and there is a MAC caching ...he doesnt getting the right role (based on the access code he enterd in the first time) -

 

Please advise,y?

 

Screenshot attached: (Guest MAC Authentication Policy)

Use the Endpoints:Guest Role ID attribute in either the role map or your enforcement profile (instead of the GuestUser: Guest Role ID)

Add an enforcement profile like this to your web auth service.

 

 

Did you use the Guest w/ MAC caching service template? All of this should have been created with that.

i built it with a template...

but thoese are the only post-auth it made for me:

 

======================

 

 

=======================

 

Hm, so you have the right profile enabled. Check the Audit Viewer and see if the attributes are attempting to be updated by either clusteradmin or apiadmin.

 

Also, try modifying that enforcement profile to:

 

%{GuestUser:Role ID}

Now it's even add the role id to my endpoint ..

 

Screenshot attached:

 

======================

 

 

 

But still...

 

 

 

Clear the cache for that endpoint, the endpoints repository and disassociate from the network and aaa delete the client, then try again. It's likely just a timing issue.

Clear the cache for that endpoint, the endpoints repository and disassociate from the network and aaa delete the client, then try again. It's likely just a timing issue.

 

 

 

• I usully blacklisting the client.(in the controller)
• then i deleting the endpoint...
• and then im first logining with passcode to the network...
• shutting down the device (deleting the AAA recrod on the controller)
• and then trying agian...

 

am i missing something?!

Do you have another device you can test? There's too many variables (due to caching) when trying to use the same client in quick tests.

tested also with 3 other devices... getting guest all the time with MAC caching....

 

even due the endpoint got role id 4 after web auth

please advise.

 

what do i do wrong.

 

 

 

 

Are you seeing an entry in Access Tracker for that device?

 

Also, on the controller, run "show user mac <mac address>" and it should tell you how the role was derived.

Yes.

 

Attached logs file

ClearPass is sending back an [Allow Access Profile] which is why you are getting Guest (most likely the default role in the AAA profile). It looks like it's falling through to the last rule.

 

Change your first two rules to check the Endpoints: Guest Role ID.

 

 

y?

its on first match...so it's aint matching... to my two first lines.

 

please advise.

 

 

It should be matching rule #2 correct?

You need to change the rule to say Endpoint: Guest Role ID.

Yes you right... #2 ... or #1 based on the guest role...

i will try to change it agian. (and i will update u)

 

 

It's still dosent work... :( im getting guest when mac auth is being done and not premium as needed... y?

 

But still:

 

 

Again - attached log file from the Access Tracker.

 

Please h3lp.

Do you have the Endpoints Repository as an authorization source in your service?

Yes , I do.

Try adding a rule above #3 that reads:

Tips:Role EQUALS [Premium] Premium4Instant

did it:

 

But still getting Guest :(

 

attached log file agian (from now)

 

 

any idea?

Try some debugging on the controller and compare what you are getting returned matches an actual aruba-user-role on your controller.

 

logging level debugging security subcat aaa
logging level debugging security process authmgr

Like this?

 

Because it's still dosent work :(

 

 

Can you check an endpoint and see if those values exist? If not, you need to modify your WebAuth service to add those attributes to the database after a successful authentication.

it dosent..

screenshot:

 

nope :( how to i modify my  WebAuth service? to add those attributes to the database after a successful authentication. ?

You would use the Guest Role ID.
So if role 1 was contractor and role 2 was guest, you'd simply say:

If GuestRoleID equals 1, contractor profile
If GuestRoleID equals 2, guest profile

Try using guest user. Role id equals in the role

It looks like you are using TIPS role in the role mapping. You can not use it there you need to change it to the same as the others. All guest role mapping is based on a number which you create a translation in a guest service.

 

There is a lot of info in this post about it.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Role-Mappings-within-the-Guest-Application/m-p/165800/highlight/true#M12513

 

 

In role it needs to be like I have below for the FACStaf where I push the role staff to the controller, and then use the tips role in the enforcement.

 

 

 

 

 

Also attach a screen shot of your access tracker. Each Tab please.