Security

Reply
Occasional Contributor II

Receptionist user based on AD Group/User settings

Hi Guys,

 

first things first:

 

we're using several Aruba instant "farms" with guest's captive portals. 

We are currently using ClearPass Guest Webinterface to provision time limited guest tickets to our clients. These Tickets are created by serveral receptionists. 

 

Currently, the receptionists use the same user which is located on the local ClearPass Server Database with the privilege level "Receptionist".

(ClearPassPolicyManager -> Administration -> Users and Privs -> Admin Users)

 

We now want to change this to a personalized AD User. We added an authentication method and the AD-Connection for this method works fine, but I cannot find an option how to add AD users to this "Receptionist" Role.

 

can you help me out?

 

br

Patzed

Highlighted

Re: Receptionist user based on AD Group/User settings

1. You need to create an enforcement profile which maps the "admin_privilages" attribute to the "Receptionist" operator profile.

 

admin_priv.jpg

2. Then copy the [Guest Operator Logins] service. Modify the copied service by adding your active directory auth source. Then add some role mapping to identify your reception users. E.g. 

 

admin_mapping.jpg

3. Then copy the built in enforcement policy [Guest Operator Logins] and modify the copy. Add a condition to map the [Reception Operator] role (from the role mapping in section 2) to the enforcement profile (from section 1). E.g.

 

 

 

admin_enforcemn.jpg

4. Move your copied [Guest Operator Logins] service above the default built in [Guest Operator Logins] service.

 

NOTE: Do not delete anything default from the copied [Guest Operator Logins] service.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Receptionist user based on AD Group/User settings

Hello,

 

many thanks for you description. 

 

can you give me a hint how to move enforment policies? They are numbered, but I cannot move them up or down ?!

 

br

Patzed

Re: Receptionist user based on AD Group/User settings

Just click on one of the rules in the enforcement policy and click on the "move up" or "move down" button below them..
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Receptionist user based on AD Group/User settings

Hey J,

 

ah - inside the Policy in the rule Tab! No matter if there is an default Guest operator login policie as shown in my screenshot?!

 

I'll test the procedure soon and give a feedback.

 

many thanks so far.

Occasional Contributor II

Re: Receptionist user based on AD Group/User settings

Its really strange that the access is denied because of a policy as the policy is a copy of a working, local authentication policy.. hmm

 

CPPM _Deny.jpg

CPPM _Deny_2.jpg

Re: Receptionist user based on AD Group/User settings

It's likely that your enforcement policy doesn't match the authentication request so is applying the default deny policy.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Occasional Contributor II

Re: Receptionist user based on AD Group/User settings

I modified the policy to the Default profile "Operator Login AD Users". its working now.

 

CPPM _allow_ad_.jpg

Guru Elite

Re: Receptionist user based on AD Group/User settings

By doing that, you've effectively allowed anyone that successfully authenticates to access this. Please find out why your rule isn't matching instead.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Receptionist user based on AD Group/User settings

Yeah, don't leave it like that.
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
---------------------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: