If I want CPPM to offer Guest as per following architecture/topology,
1. Visitors - Self registration, input in a field the email address of the sponsor from organisation they are visiting.. need a sponsor to approve before authenticated.
2. Contractors - Self registration, input in a field the email address of the sponsor from organisation they are visiting, and additionally, perhaps tick a checkbox to denote 'contractor' ... need a sponsor to approve and additionally vet whether really is a contractor obviously.
Pending sponsor approval for each scenario 1. and 2. different VLAN enforcement profile.
Can a 'sponsor approval' architecture be employed per se in the way it is depicted above ?
Such that sponsor receives an email when someone attempts to self-register and complete form. They are denoted as an Operator in CPPM and then go in to approve access ?
The additional 2 x HTTP landing pages makes sense.
But it's more the Guest Access Management Processes.. (referencing the 'ClearPass_Guest_User_Guide_6.6 at that also...).
It references 2 x fundamental distinct methods.
- Sponsored Guest Access
- Self Provisioned Guest Access
Yet, in a CPPM Guest presentation I had given to me by Aruba in my region, this slide insinuates there's a blend between the two..
There's the Self Service part of provisioning one's information.
Then the sponsor/operator part to confirm that guest is valid.
Then the enablement via the sponsor/operator clicking 'confirm'.
That above workflow depicted in the slide I literally need.
Coupled with the additional HTTP redirect for 'guest' vs 'contractor'.
Do away with the checkbox. Two different links for the two different competencies is fine.
And yes, the AD backhaul is implicit for the sponsors/operators to approve.
Sorry .. the Sponsored Guest Access detail in the Guest User Guide for CPPM 6.6 mentions 'operators/sponsors PROVISIONING guest accounts.. emailing/SMS'ing the receipt, etc'.. not simply APPROVING guest particulars that the guests enter. Hence my confusion.
As per below.
If this is purely the Sponsored Access method and no flavour/element of Self-Provisioning.. then that is what it will be.
This might help!
By following the above steps the sponsor will assign a desired role to a guest user and soon after the guest authenticates against clearpass, In the access tracker we can have those attributes with role name so we can impliment and enforce the policy's by sending the required roles to the controller to give him access
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.