Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

One group of users accessing multiple mactrac pages

  • 1.  One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:01 PM

    Can I configure clearpass mactrac with one group of users accessing different mactrac pages. 

    Is this supported?

     

    I am trying to configure this requirement but seems like clearpass does not support this. 

     



  • 2.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:04 PM
    No, but you could get creative and utilize realms to make access decisions.

    For example, these 3 usernames (although same user), can take the user to different pages using

    cappalli@studentdevice.cpg
    cappalli@staffdevice.cpg
    cappalli@helpdesk.cpg


  • 3.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:10 PM

    Realms does not help, same group of users.

     

    Mactrac pages are tied to the roles and this is why clearpass fail. 



  • 4.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:12 PM
    Yes, you put the users into different admin roles based on the realm suffix....


  • 5.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:27 PM

    Can you show how your logic works?

     

    say criteria1 --> role1 --> mactrac page1

           criteria2 -->role2 ->mactrac page2 

     

     



  • 6.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:31 PM
    Exactly.

    Authentication:Full-Username ENDS_WITH @mactrac1
    Enforcement: Operator Profile: MACTrac1

    Be sure to enable realm stripping in the service.


  • 7.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:37 PM

    Can you explain how your solution works, step by step?

    Should I send multiple roles? 

     



  • 8.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:40 PM

    Clearpass mactrac fail because its the role that control the logic, not the mactrac page. 

    I hope clearpass developer see this post and reverse the logic or offer an alternative way on the control of the mactrac logic.

     

    I can send multiple roles but it should be the page who will filter which role it will allow or not.

     

    If I send single role, its the first role hit in the enforcement that will be applied..thus the logic fail if same user want to access page 2.  

     



  • 9.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 12:46 PM

    You need to have an enforcement profile for each operator role.

    You create a rule for each realm suffix and map them to an operator role.

    So if I use cappalli@student.mactrac as my username, I get the "STUDENT" operator profile in CPG



  • 10.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:05 PM

    Can you test this in your lab? 



  • 11.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:06 PM

     

    This is a total clearpass mactrac failure.

     

    I have lots of 25k hardware clearpass, very expensive equipment, more than 100 thousand dollars, but it will not allow one group of users be able to access multiple mactrac pages is a junk! 



  • 12.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:12 PM
    I have customers running with this configuration without issue.

    You should consider working with your ClearPass partner.


  • 13.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:23 PM

    I've been working with aruba tac since 1 year ago and nobody was able to provide a solution. 

     

    1 year passed and still it does not work.

     



  • 14.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:27 PM
    Have you worked with your Aruba / ClearPass partner?


  • 15.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:32 PM

    I've been working with aruba support since 1 year ago and nobody was able to provide a solution. 

     

    1 year passed and still it does not work. So I am frustrated using clearpass, it cost us more than 100 thousand dollars and this feature does not work.

     



  • 16.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:27 PM

    If you are telling the truth, what is your Rules Evaluation Algorithm? post your setup, from enforcement to operator login profile, rules and mactrac pages. 

     

     

     



  • 17.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:32 PM
    I've explained it in 3 different posts.

    I'll summarize again here:

    ENFORCEMENT POLICY:
    RULE 1
    Authentication:Full-Username ENDS_WITH @value1.xyz
    ENFORCEMENT PROFILES:
    admin_privileges = CPG-Operator-Profile-Name

    RULE 2
    Authentication:Full-Username ENDS_WITH @value2.xyz
    ENFORCEMENT PROFILES:
    admin_privileges = CPG-Operator-Profile-Name


  • 18.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:37 PM

    Sending single role "CPG-Operator-Profile-Name" to access page1 or page2 will default to page1 only.  



  • 19.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:44 PM
    Right. When you log in with #2, you'll get page #2.


    Thanks,
    Tim


  • 20.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:49 PM

    In your "Operator Logins" enforcement, what is the "Rules Evaluation Algorithm:". is it "select first match" or " evaluate all"?

     

    Did you create 2 separate operator roles? role1 and role2? 



  • 21.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:51 PM
    Enforcements should always be first match.


    Thanks,
    Tim


  • 22.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:53 PM

    Did you create 2 separate operator roles? role1 and role2?  

    role1 linked to page1 and role2 linked to page2. 



  • 23.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:53 PM
    Yes. You should have an operator profile for each variation of the UI (forms, permissions, enabled features)


    Thanks,
    Tim


  • 24.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:58 PM

    In your translation rules, what is your per role "fallthrough"? "Continue translation if rule matches"? 

    or stop? 



  • 25.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 01:59 PM
    I have an exact attribute match rule. No per role rules.


    Thanks,
    Tim


  • 26.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 02:05 PM

    This is the difference in your setup.

     

    So how its exacly defined? In Translation Rule? or in expression? 



  • 27.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 02:11 PM

    Does your setup looks like:

     

    attribute: admin_privileges equal CPG-Operator-Profile-Name,

    on match assign "fixed operator profile" ..operator role1? 



  • 28.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 02:17 PM

     

    Still clearpass mactrac can't provide access to multiple pages from same user. 

     

    Unless clearpass software developer will fix this problem. 



  • 29.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 09, 2015 10:55 PM

    cppm-cpg.JPG



  • 30.  RE: One group of users accessing multiple mactrac pages

    Posted Nov 10, 2015 04:44 AM

    Hello wireless_network10

     

    I'm struggling to understand what you really want to achieve here. Tim is giving you solutions, but as far as I can tell you are not talking about the same things..

     

    1. Do you want user1@domain.com to be able to access a single mac-trac pages during a single login?

    OR

    2. Do you want user1@domain.com to access mac-trac-page1 AND mac-trac-page2 during a single login?

    OR

    3. Do you want user1@domain.com to only reach mac-trac-page1 and user2@domain.com to only reach mac-trac-page2?

    OR

    4. Combination of 2 and 3 - different users reach multiple mac-trac-pages during a single login.

     

     

    If a combination or none of the above - please formulate your requirement with what you want to achive - not HOW you are trying to achieve it..

     

    Looking forward to the challenge..