Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Guest Deployment with many Roles and Self-serve Device Registration

This thread has been viewed 22 times
  • 1.  Guest Deployment with many Roles and Self-serve Device Registration

    Posted May 21, 2021 12:32 PM
    Hello Community!

    I'm using the Guest DB to authenticate many Guest users onto wireless with their own roles (it's a suite-based deployment, each suite/tenant gets their own account) - I want to grant them access to the Guest dashboard to be able to register other devices. These accounts can log in, but every device they register inherits the default role_id ([Guest]) from the form mactrac_create. Is there a way to automatically insert the role id into that field based on the role of the user that is logged in to register the device? (ie. tenant1 logs into Device Registration, registers a new mac and it gets the role tenant1?) I'd ideally like to be able to do this without creating individual device operator profiles for each role, as this is a deployment with hundreds of suites/tenants.

    On the wireless side there are 2 SSIDs (1 PEAP-based 802.1X and 1 MPSK-based). I'm using role-to-role firewall rules inside PEF to allow only like roles to communicate with other so that I don't have to also create hundreds of VLANs on the controller to support the solution. This is working great, just the self-service device registration is the only point I'm struggling with.

    Any ideas/suggestions?

    Thanks in advance,
    Tim

    ------------------------------
    Tim Friesen
    ------------------------------


  • 2.  RE: Guest Deployment with many Roles and Self-serve Device Registration

    Posted May 22, 2021 04:41 AM
    If the role name and Sponsor Name are the same you could just use the %{Authorization:[Guest Device Repository]:SponsorName} variable. 




  • 3.  RE: Guest Deployment with many Roles and Self-serve Device Registration

    Posted May 24, 2021 04:28 AM
      |   view attached
    Back in 2017 I put this conceptual pseudo-multi-tenacy solution together. This was never deployed. This is not explicitly doing what you want, but it's not far off. Hopefully it gives some pointers.

    ------------------------------
    Derin Mellor
    ------------------------------

    Attachment(s)

    pptx
    Pseudo Multi-Tenant.pptx   3.58 MB 1 version


  • 4.  RE: Guest Deployment with many Roles and Self-serve Device Registration

    Posted May 25, 2021 10:37 AM
    Thanks a lot for sharing that pptx, Derin. There's a lot of good information in there and I'll definitely steal a couple ideas.

    In the end though, what I was hoping for was a way to pre-populate the role_id field inside the mactrac_create form that is based on the role id of the tenant that logs into the CPG dashboard for device creation. It looks like you're using separate operator profiles in your solution, which I know will work - I was just hoping to avoid creating 300+ operator profiles (1 for each tenant).

    I'll keep playing around but I definitely saw some things in your powerpoint that I liked, so thanks again!

    ------------------------------
    Tim Friesen
    ------------------------------