Security

Reply
Contributor II
Posts: 38
Registered: ‎11-24-2014

One group of users accessing multiple mactrac pages

Can I configure clearpass mactrac with one group of users accessing different mactrac pages. 

Is this supported?

 

I am trying to configure this requirement but seems like clearpass does not support this. 

 

Guru Elite
Posts: 8,468
Registered: ‎09-08-2010

Re: One group of users accessing multiple mactrac pages

No, but you could get creative and utilize realms to make access decisions.

For example, these 3 usernames (although same user), can take the user to different pages using

cappalli@studentdevice.cpg
cappalli@staffdevice.cpg
cappalli@helpdesk.cpg

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: One group of users accessing multiple mactrac pages

Realms does not help, same group of users.

 

Mactrac pages are tied to the roles and this is why clearpass fail. 

Guru Elite
Posts: 8,468
Registered: ‎09-08-2010

Re: One group of users accessing multiple mactrac pages

Yes, you put the users into different admin roles based on the realm suffix....

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: One group of users accessing multiple mactrac pages

Can you show how your logic works?

 

say criteria1 --> role1 --> mactrac page1

       criteria2 -->role2 ->mactrac page2 

 

 

Guru Elite
Posts: 8,468
Registered: ‎09-08-2010

Re: One group of users accessing multiple mactrac pages

Exactly.

Authentication:Full-Username ENDS_WITH @mactrac1
Enforcement: Operator Profile: MACTrac1

Be sure to enable realm stripping in the service.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: One group of users accessing multiple mactrac pages

Can you explain how your solution works, step by step?

Should I send multiple roles? 

 

Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: One group of users accessing multiple mactrac pages

[ Edited ]

Clearpass mactrac fail because its the role that control the logic, not the mactrac page. 

I hope clearpass developer see this post and reverse the logic or offer an alternative way on the control of the mactrac logic.

 

I can send multiple roles but it should be the page who will filter which role it will allow or not.

 

If I send single role, its the first role hit in the enforcement that will be applied..thus the logic fail if same user want to access page 2.  

 

Guru Elite
Posts: 8,468
Registered: ‎09-08-2010

Re: One group of users accessing multiple mactrac pages

[ Edited ]

You need to have an enforcement profile for each operator role.

You create a rule for each realm suffix and map them to an operator role.

So if I use cappalli@student.mactrac as my username, I get the "STUDENT" operator profile in CPG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: One group of users accessing multiple mactrac pages

Can you test this in your lab? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: