Security

Reply
New Contributor
Posts: 2
Registered: ‎08-21-2014

How to implement Guest role based access?

Hi,

I've got CPPM 6.5.1 running with a Guest portal.  We do self-registration so that all guests are dumped in the "Guest" role, and must re-authenticate daily.

 

I have found some incantations to add a Profile such that I can pass back a value in the "Radius:Aruba / Aruba-User-Role" and tell the controller which role to place the user into back on the controller as they log in.  It's clunky right now, as I have it hard-coded in a profile.

What I >want< to do is this:

 

1) Have self-registration users defaulted into the [Guest] role, and pass that role info back to the controller, which puts them in a somewhat ACL'd network (we do 80/443 only).
2) For certain users, I'd like to be able to go into the Guest account management database, and change their Role to "VIP".  Those users would then be assigned a VIP role on the controller which would have wider access.

3) I would like the role change to be preserved.  Right now, if a user is forced to re-authenticate in the portal, they're dumped back into [Guest] every time, even if I changed their role manually.

 

I've been thumping my head against a wall for a few days.  The default service policies seem to pull the Role data out of the Endpoint database and ignore the Guest User database once a user is set up.  Changing a role after a guest user is established doesn't change the behavior when they reconnect.  Then, once forced through reauthentication, their role data is tossed out the window.  Neither of these are desired behaviors.

 

Any tips on accomplishing this would be greatly appreciated.

Thanks!
Mike

Guru Elite
Posts: 7,853
Registered: ‎09-08-2010

Re: How to implement Guest role based access?

[ Edited ]

If you’re doing MAC caching, the role data is added to the Endpoint Repository and is effectively static until the user reauthenticates (logs in not registers) through the web portal.

 

You have three options:

  • You can manually change the Role ID number in the endpoints database for the MAC
  • You can have the user re-login using the web portal which will update the MAC address in the database with the new role
  • You can do a sponsored registration so the user puts in an employees name, the employee gets an email and can approve, deny, change role and change expiration. Then the user would click the login button once approved and they would be in the correct role.

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: