Security

Reply
MVP
Posts: 2,992
Registered: ‎10-25-2011

How to configure managment authetnication for Guest and Insigh Console Jan15-MHC

[ Edited ]

This tutorial is like the next part of this one created by Aruba

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-Configure-management-authentication-for-ClearPass-against/ta-p/187296

 

I notice that with this you were able to access the cppm console but thi didnt work to access other consoles like Guest, and Insigh one with Active directory credentials

 

So lets start

 

After you done with the tutorial up you will see that the active directory credential doesnt work for the other consoles.  

 

To make it work you have to do the fallowing

 

You need to build a Role Mapping which you should have created alredy with the tutorial up but ill repeat that part:

 

RoleMapping.PNG

Here the type is Authorization with AD, the name member of(which is the group of Active directory that contains the users that are allowed in this console), in this example i just put domain admins(so any user on domain admin got access to this consoles)

On the Role Name use the [TACACS Super Admin]

 

On policy tab you can put [Guest]  So that if the login fails he put this random default role and wont let him access

 

 

Now you create a enforment profile

 

Enforment profile.PNG

Now you have to build a new profile in which the atribue name you use admin_priviledges and on atribute you can put anything like GuestAdmin for example.   This attribute value MUST match exactly with what we will configure on the guest console so pay attention to what you put in there.

 

 

Now lets build the enforment policy

 

We create a new one and configure it like this:

 

 

enformenttabpolicyPNG.PNG

 

Ondefault profile you select something like deny application access so it wont have access if he fail the authentication

 

Lets go to rules

 

Enforment policy tacacs.PNG

 

Put it exactly like this, and on the profile name select the profile you created before(in my case its copy of operators login admin users.

 

 

 

Now with that info lets build the service.

 

You can copy the [Guest Operator Logins] which is the service that authenticate by default those consoles.

you can copy it and edith it which is what i did.(you can also rename it with whatever name you want.

 

Service.PNG

 

As you see i highlighted the service you can use to copy and you see up is the copied service i used

Lets go inside the service:

 

Inside Service.PNG

 

The first thing you need to do is to add Insight  as you see in this image( you will only see Guest

 

Lets go to authentication tab

 

Authenticaiton.PNG

We select Active directory which you should have previusly configured in your Clearpass.

 

Now lets go to roles tab

roles.PNG

 

Here we select on role mapping the one we created up 

 

Now lets go to Enforment tab

 

Enformenttab.PNG

 

Now you select the enforment profile we configured before.

 

And thats it you are done here  you save it!

 

Now the order!

 

Service Order.PNG

As you see here i got copy of the [Guest operaor Logins] which is the one i created before [Guest operaor Logins] Which is the default one that comes with the Policy manager.

 

 

Now lets go to the Guest console for part 2!

 

Lets go to translation rules

 

Translation Rules.PNG

 

 

And we create a new rule

 

CPAdminrule.PNG

 

on Attribute you put what we had on the cppm admin_privileges equals to GuestAdmin(remenber here it must match! if it doesnt then it wont work... i mean if you put one letter different it wont work) 

This rule is the one we use so the clearpass guest console understand that he must use the AD credentials.

On match, you put Assign Fixed operator profile

Operator profile

IT Administrator so he has all the access.

 

Save it and you are done!

 

Now you got all the consoels with AD authentication and not just the policy manager :)

 

Cheers

Carlos

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: