Security

Reply
MVP
Posts: 765
Registered: ‎03-25-2009

cppm sponsor guest logon

What I'm trying to accomplish:


Self-registration page with sponsor verification before activating the guestaccount.

Since it can be hard for the guest to remember the exact spelling of the sponsors name/email address I thought I'd simply add a drop-down list where the guest simply selects the department he wants to visit.

In this drop-down list the department name is linked to the departments email address which is a distribution list so that the entire department receives the request and could OK the sponsor request by loging in with their AD credentials.


a) First, I would have expected that the policy manager default service [Policy Manager Admin Network Login Service] would be able to handle these sponsor logons with its "Connection - NAD-IP-Address - EQUALS - 127.0.0.1" service rule. It isn't.

 

So I created an application service which checks for an AD group and returns an application accept enforcement profile.
Access tracker shows this as an accept, but the sponsor is still unable to logon. The sponsor himself sees a "user or password error" being returned.

 

I cur down on the process by entering a fixed sponsor email address into the respective form but this does not help me get any further.

 

Anybody got a clue why my sponsors are being denied even though access tracker sees the application accept?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: cppm sponsor guest logon

You will either have to open a case or reveal personal information to get to the bottom of this....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 765
Registered: ‎03-25-2009

Re: cppm sponsor guest logon

[ Edited ]

Got TAC involved.

 

Apparently returning an application accept with or without the "Privilege-Level" = sponsor attribute set isn't enough.

TAC 's sollution was to create an operator  and translation rule 'sponsor' and then returning the application accept with "admin_privileges" = sponsor.

 

Although this works, I'm not yet convinced this is the way to go as I cannot find any setting in those profiles to just allow sponsoring. TAC just gave full access to a bunch of stuf in here.

 

So, anybody that can tell me what I should return to allow external AD users to sponsor guest requests?  Or must I use an ldap operator server from the guest section to do this? Seems silly as I have cppm running to handle ALL other authentications.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 765
Registered: ‎03-25-2009

Re: cppm sponsor guest logon

Anyone know the correct procedure to allow sponsors only from a specific grouip in AD?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Super Contributor II
Posts: 387
Registered: ‎09-05-2012

Re: cppm sponsor guest logon

[ Edited ]

I am not 100% sure how you would do it in AD....

But using an LDAP group we just check for membership of the group. If the user is in the group then we use an Enforcement Profile that sets the 'admin_privileges' = 'to some value'.

 

I just used the predefined service 'Guest Operator Logins' as a guideline to setup a new service.

 

Then on the 'Translation Rules' we look for the value of the 'admin_privileges' and assign an operator profile appropriate to the value.

 

We use two different groups, one for general administration - the sponsor can only see the accounts he/she has created.

And then a super admininistrator - this user can see all guest accounts created by any sponsor.

 

This is handled by two different operator profiles.

Search Airheads
Showing results for 
Search instead for 
Did you mean: