Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Use role_id guest user attribute for MAC authentication

Jump to Best Answer
  • 1.  Use role_id guest user attribute for MAC authentication

    Posted 18 days ago
    Hi

    I would like to use  for authorization purpose role_id attribute in MAC authentication. I have a self-registration captive portal with mac -caching, and I would like the customer to be able to change user roles from guest user database, so when devices associated to that user re-connect to be able to have the attributes of the new role.

    So far I have tried with some codes I found in other posts with some changes:

    SELECT tgu.attributes->>'Role ID' AS role_id FROM tips_guest_users as tgu WHERE tgu.guest_type = 'DEVICE' AND tgu.user_id = UPPER('%{Endpoint:Username}')

    Adding a new attribute at Authentication Sources->Guest user repository, and then use that authorization attribute in role mapping but no luck so far.

    Can anyone help me?

    Regards

    ------------------------------
    Marcos Gonzalez
    ------------------------------


  • 2.  RE: Use role_id guest user attribute for MAC authentication

    Posted 17 days ago
    Device Role ID is available by default in [Guest Device Repository]

    ------------------------------
    Tim C
    ------------------------------



  • 3.  RE: Use role_id guest user attribute for MAC authentication

    Posted 17 days ago
    Hi. Yes I know, but I'm talking about [Guest User Repository].

    Regards,

    ------------------------------
    Marcos Gonzalez
    ------------------------------



  • 4.  RE: Use role_id guest user attribute for MAC authentication

    Posted 17 days ago
    MAC Authentication does not use that auth source.

    ------------------------------
    Tim C
    ------------------------------



  • 5.  RE: Use role_id guest user attribute for MAC authentication

    Posted 17 days ago
    Hi Tim.

    Actually you can use Authorization attributes like user expired, or user enabled, and there are many references in other posts that you can use custom attributes, but I don't get to work the SQL query for role_id attribute

    Regards

    ------------------------------
    Marcos Gonzalez
    ------------------------------



  • 6.  RE: Use role_id guest user attribute for MAC authentication

    Posted 17 days ago
    Use GuestUser:Role ID then.

    ------------------------------
    Tim C
    ------------------------------



  • 7.  RE: Use role_id guest user attribute for MAC authentication

    Posted 16 days ago
    That's what I'm trying, but role_id is not pre-defined as authorization attribute in guest user repository source definition on cppm:



    So, I'm tryng to add a new custom attribute :


    With a custom SQL Query similar to this:



    That query is the one that is not working for me.

    Regards,




    ------------------------------
    Marcos Gonzalez
    ------------------------------



  • 8.  RE: Use role_id guest user attribute for MAC authentication
    Best Answer

    Posted 16 days ago
    Hi, after several tries it appear that the correct SQL query is this one:

    SELECT tgu.attributes->>'Role ID' AS role_id FROM tips_guest_users as tgu WHERE tgu.guest_type = 'USER' AND tgu.user_id = '%{Endpoint:Username}'

    ------------------------------
    Marcos Gonzalez
    ------------------------------



  • 9.  RE: Use role_id guest user attribute for MAC authentication

    Posted 16 days ago
    GuestUser:Role ID is automatically created and is not based on [Guest User Repository] filters. 

    You should not use Endpoint attributes when referencing Guest data directly.

    ------------------------------
    Tim C
    ------------------------------