Security

Hi Guys,

 

first things first:

 

we're using several Aruba instant "farms" with guest's captive portals. 

We are currently using ClearPass Guest Webinterface to provision time limited guest tickets to our clients. These Tickets are created by serveral receptionists. 

 

Currently, the receptionists use the same user which is located on the local ClearPass Server Database with the privilege level "Receptionist".

(ClearPassPolicyManager -> Administration -> Users and Privs -> Admin Users)

 

We now want to change this to a personalized AD User. We added an authentication method and the AD-Connection for this method works fine, but I cannot find an option how to add AD users to this "Receptionist" Role.

 

can you help me out?

 

br

Patzed

1. You need to create an enforcement profile which maps the "admin_privilages" attribute to the "Receptionist" operator profile.

 

2. Then copy the [Guest Operator Logins] service. Modify the copied service by adding your active directory auth source. Then add some role mapping to identify your reception users. E.g. 

 

3. Then copy the built in enforcement policy [Guest Operator Logins] and modify the copy. Add a condition to map the [Reception Operator] role (from the role mapping in section 2) to the enforcement profile (from section 1). E.g.

 

 

 

4. Move your copied [Guest Operator Logins] service above the default built in [Guest Operator Logins] service.

 

NOTE: Do not delete anything default from the copied [Guest Operator Logins] service.

Hello,

 

many thanks for you description. 

 

can you give me a hint how to move enforment policies? They are numbered, but I cannot move them up or down ?!

 

br

Patzed

Just click on one of the rules in the enforcement policy and click on the "move up" or "move down" button below them..

Hey J,

 

ah - inside the Policy in the rule Tab! No matter if there is an default Guest operator login policie as shown in my screenshot?!

 

I'll test the procedure soon and give a feedback.

 

many thanks so far.

Its really strange that the access is denied because of a policy as the policy is a copy of a working, local authentication policy.. hmm

 

It's likely that your enforcement policy doesn't match the authentication request so is applying the default deny policy.

I modified the policy to the Default profile "Operator Login AD Users". its working now.

 

By doing that, you've effectively allowed anyone that successfully authenticates to access this. Please find out why your rule isn't matching instead.

Yeah, don't leave it like that.

your're right. Thats not the intention..

can you give me a hint where to search? I defined the "memberof" Field

with the content" Reception" and added my test user to the group "reception", but it seems not to work..

 

1.: I replaced the default profile back to "Deny"

 

 

 

Look in access tracker under the input tab in authorization. Do you see the group listed?

Also, it's recommended to use the "Group" attribute instead of memberOf.

As I wrote, I changed back the settings back to defualt: deny, but we can still logon with any AD authenticated user, thats really weird. Do we need to restart any service?

 

I changed the attributes to the following:

Yes, I see the group listed.

 

Can you post a screenshot of the access tracker, input tab authorization section?

hey J,

 

 

the Input tab is huge, contains hundreds of groups (yes I know...) but not the requested group "reception"

 

Authentiucation not still works for users with AND without the correct AD group. 

I thought you said it was there?

Is this a nested group?

Ah sorry for the missunderstanding.

Yes, its there, but I'm now logging in with a user that should not be able to logon because the user isnt part of the group, but it still works for all AD users as it seems.

 

IF I use my Test-User which is in the group, the group is also recognized in the authorization tab.

Please work with your Aruba ClearPass partner or Aruba TAC. It's very difficult to troubleshoot in real-time in a forum setting.

that can be complicated because we changed the distri..

 

it should be easy to find out why the authorization is granted without beeing in the listed group?

 

however, ill try to get official support.

 

Is there any possibilty to open a tac via mail as end customer?

 

br

patzed

If you need an example of how you can set it up, please check this ClearPass video series. More specific, Wireless #3 - Wireless Role Based Access for the AD group mapping, and  Guest #6 - Operator Profiles for ClearPass Guest backend login (Receptionist).

Thanks all for the support.

 

I contacted HPE via the MyNetworking Account and finally got the solution now.

 

The issue was hidden in den Service -> Roles -> Default Role

 

This default Role was set to the same Receptionist Role, so the Fallback Case was an authorization as well where it should be a Role which is not authorized.

 

Authorization is now working with [Group "CONTAINS" -> e.g.Reception] Condition

 

br

Patzed

 

 

What will the query looks like if we want to pull the OU membership of the computer Object? I have the Authoziration enable for the service but it is only pulling the info in the first image, info looks like is only querying the hostDnsName, hostOperatingSystem from the DC: