Security

  • 1.  Guest; Captive Portal; sponsor approval architecture

    Posted May 24, 2016 01:06 AM

    If I want CPPM to offer Guest as per following architecture/topology,

    1. Visitors - Self registration, input in a field the email address of the sponsor from organisation they are visiting.. need a sponsor to approve before authenticated.

    2. Contractors - Self registration, input in a field the email address of the sponsor from organisation they are visiting, and additionally, perhaps tick a checkbox to denote 'contractor' ... need a sponsor to approve and additionally vet whether really is a contractor obviously.

    Pending sponsor approval for each scenario 1. and 2. different VLAN enforcement profile.

     

    Can a 'sponsor approval' architecture be employed per se in the way it is depicted above ?

    Such that sponsor receives an email when someone attempts to self-register and complete form.  They are denoted as an Operator in CPPM and then go in to approve access ?



  • 2.  RE: Guest; Captive Portal; sponsor approval architecture
    Best Answer

    Posted May 24, 2016 01:33 AM
    For #2 it would be easier if you have two links on the main redirect
    1. Guest
    2. Contractors

    I would suggest working with a Partner or Professional Service on the deployment. It is not as simple and click and go. You are going to need to have AD integration setup in guest and sponsor profiles setup in the guest side of CPPM.

    Essentially you can do what you are looking for will a few design changes but it will take a minimum Advance Clearpass Training to know how to set it up.


  • 3.  RE: Guest; Captive Portal; sponsor approval architecture

    Posted May 24, 2016 02:51 AM

    The additional 2 x HTTP landing pages makes sense.

    But it's more the Guest Access Management Processes.. (referencing the 'ClearPass_Guest_User_Guide_6.6 at that also...).

    It references 2 x fundamental distinct methods.

    - Sponsored Guest Access

    - Self Provisioned Guest Access

    Yet, in a CPPM Guest presentation I had given to me by Aruba in my region, this slide insinuates there's  a blend between the two..

     

    Automated Guest Self-Service.png

     

    There's the Self Service part of provisioning one's information. 

    Then the sponsor/operator part to confirm that guest is valid.

    Then the enablement via the sponsor/operator clicking 'confirm'.

     

    That above workflow depicted in the slide I literally need.

    Coupled with the additional HTTP redirect for 'guest' vs 'contractor'.



  • 4.  RE: Guest; Captive Portal; sponsor approval architecture

    Posted May 24, 2016 03:03 AM
    I understand that, but all that slide shows is the work flow of Sponsored Access. Maybe its me but I dont see how it references both.

    Like I stated before you can do what you are looking for but you would need to make a initial landing page and let the guest click the link to the proper provisioning page. CPPM does Not natively have an option to chose you are a contractor by checking a box.

    You could do it with the API and custom HTML coding. The option I'm giving you is something that could be done without custom HTML coding. You will still need to setup AD integration for sponsors to log in and approve guest and setup custom roles for them to have access based on a AD group.


  • 5.  RE: Guest; Captive Portal; sponsor approval architecture

    Posted May 24, 2016 03:11 AM

    Do away with the checkbox. Two different links for the two different competencies is fine.

    And yes, the AD backhaul is implicit for the sponsors/operators to approve.

     

    Sorry .. the Sponsored Guest Access detail in the Guest User Guide for CPPM 6.6 mentions 'operators/sponsors PROVISIONING guest accounts.. emailing/SMS'ing the receipt, etc'.. not simply APPROVING guest particulars that the guests enter.  Hence my confusion.

     

    As per below.

     

    Sponsored Guest Access.png

     

    If this is purely the Sponsored Access method and no flavour/element of Self-Provisioning.. then that is what it will be.



  • 6.  RE: Guest; Captive Portal; sponsor approval architecture



  • 7.  RE: Guest; Captive Portal; sponsor approval architecture

    Posted Feb 10, 2017 03:32 PM

    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-enable-option-to-override-guest-user-s-role-when-sponsor/ta-p/234588

     

    By following the above steps the sponsor will assign a desired role to a guest user and soon after the guest authenticates  against clearpass, In the access tracker we can have those attributes with role name so we can   impliment and enforce the policy's by sending the required roles to the controller to give him access