Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Use role_id guest user attribute for MAC authentication

This thread has been viewed 41 times

  • 1.  Use role_id guest user attribute for MAC authentication

    Posted Nov 10, 2020 09:58 AM
    Hi

    I would like to use  for authorization purpose role_id attribute in MAC authentication. I have a self-registration captive portal with mac -caching, and I would like the customer to be able to change user roles from guest user database, so when devices associated to that user re-connect to be able to have the attributes of the new role.

    So far I have tried with some codes I found in other posts with some changes:

    SELECT tgu.attributes->>'Role ID' AS role_id FROM tips_guest_users as tgu WHERE tgu.guest_type = 'DEVICE' AND tgu.user_id = UPPER('%{Endpoint:Username}')

    Adding a new attribute at Authentication Sources->Guest user repository, and then use that authorization attribute in role mapping but no luck so far.

    Can anyone help me?

    Regards

    ------------------------------
    Marcos Gonzalez
    ------------------------------


  • 2.  RE: Use role_id guest user attribute for MAC authentication

    MVP EXPERT
    Posted Nov 11, 2020 11:14 AM
    Device Role ID is available by default in [Guest Device Repository]

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 3.  RE: Use role_id guest user attribute for MAC authentication

    Posted Nov 11, 2020 11:31 AM
    Hi. Yes I know, but I'm talking about [Guest User Repository].

    Regards,

    ------------------------------
    Marcos Gonzalez
    ------------------------------

    Original Message


  • 4.  RE: Use role_id guest user attribute for MAC authentication

    MVP EXPERT
    Posted Nov 11, 2020 11:37 AM
    MAC Authentication does not use that auth source.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 5.  RE: Use role_id guest user attribute for MAC authentication

    Posted Nov 11, 2020 11:43 AM
    Hi Tim.

    Actually you can use Authorization attributes like user expired, or user enabled, and there are many references in other posts that you can use custom attributes, but I don't get to work the SQL query for role_id attribute

    Regards

    ------------------------------
    Marcos Gonzalez
    ------------------------------

    Original Message


  • 6.  RE: Use role_id guest user attribute for MAC authentication

    MVP EXPERT
    Posted Nov 11, 2020 11:47 AM
    Use GuestUser:Role ID then.

    ------------------------------
    Tim C
    ------------------------------

    Original Message


  • 7.  RE: Use role_id guest user attribute for MAC authentication

    Posted Nov 12, 2020 04:10 AM
    That's what I'm trying, but role_id is not pre-defined as authorization attribute in guest user repository source definition on cppm:



    So, I'm tryng to add a new custom attribute :


    With a custom SQL Query similar to this:



    That query is the one that is not working for me.

    Regards,




    ------------------------------
    Marcos Gonzalez
    ------------------------------

    Original Message


  • 8.  RE: Use role_id guest user attribute for MAC authentication
    Best Answer

    Posted Nov 12, 2020 04:21 AM
    Hi, after several tries it appear that the correct SQL query is this one:

    SELECT tgu.attributes->>'Role ID' AS role_id FROM tips_guest_users as tgu WHERE tgu.guest_type = 'USER' AND tgu.user_id = '%{Endpoint:Username}'

    ------------------------------
    Marcos Gonzalez
    ------------------------------

    Original Message


  • 9.  RE: Use role_id guest user attribute for MAC authentication

    MVP EXPERT
    Posted Nov 12, 2020 10:19 AM
    GuestUser:Role ID is automatically created and is not based on [Guest User Repository] filters. 

    You should not use Endpoint attributes when referencing Guest data directly.

    ------------------------------
    Tim C
    ------------------------------

    Original Message