Security

I have an LDAP server specified with translation rules for operator logins, keying off memberOf contains for various AD groups and that all works. Users log in and get the correct role in Guest. However, in CPPM access tracker, all the requests show as rejected for the service "Guest Operator Logins". Users are indeed able to log in. The Guest Operator Logins service cannot be edited. This is running CPPM 6.2.0.54567

If you're not using the standard guest operator logins, then you can disable this default service in CPPM, to prevent the errors showing up in Access Tracker.

Guys, 

I appreciate the LDAP server definition in clearpass guest and the LDAP translation rules for Operator logins for LDAP group membership - but shouldn't this kind of function be enabled in CPPM?

Sorry if I have missed something

thanks

nik

You can return a role name from CPPM to CPG but you still need to map the expression in CPG. 

For example, we are returning a student role from CPPM using our campus single sign on system for authentication and LDAP for authorization.

We're sending the attribute admin_privileges with a value of CPG-Brandeis-Student which assigns the operator profile of Brandeis Student. CPPM has no concept of an operator profile which is why it needs to be mapped.

hi tim,

Did you copy the original [Guest Operator Logins] service and edit it?

No, I created everything from scratch since the CPPM configuration for SAML/SSO is a bit different.

cool - so CPPM > match DB > TIPS role map  > SSO role attribute value > CPG translattion map based on attibute > CPG role

sound right? (I still have more questions - thanks a mill BTW)

Tim,

Finally got it (after some troubleshooting and quite office time)

you are completely correct - and thanks very much for your help - this is not the first time you have helped me out so it's much appreciated

you seem to have well and truly earned that MVP status!

all the best

nik

Sorry for the delay! Glad you got it working!