Security

last person joined: 29 minutes ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass guest operator logins

Jump to Best Answer
  • 1.  ClearPass guest operator logins

    Posted Aug 14, 2013 09:25 AM

    I have an LDAP server specified with translation rules for operator logins, keying off memberOf contains for various AD groups and that all works. Users log in and get the correct role in Guest. However, in CPPM access tracker, all the requests show as rejected for the service "Guest Operator Logins". Users are indeed able to log in. The Guest Operator Logins service cannot be edited. This is running CPPM 6.2.0.54567

     

    guest_operator.JPG



  • 2.  RE: ClearPass guest operator logins
    Best Answer

    Posted Aug 14, 2013 02:16 PM

    If you're not using the standard guest operator logins, then you can disable this default service in CPPM, to prevent the errors showing up in Access Tracker.

     



  • 3.  RE: ClearPass guest operator logins

    Posted Mar 04, 2014 02:14 AM

    Guys, 

     

     

    I appreciate the LDAP server definition in clearpass guest and the LDAP translation rules for Operator logins for LDAP group membership - but shouldn't this kind of function be enabled in CPPM?

     

    Sorry if I have missed something

     

    thanks

     

    nik



  • 4.  RE: ClearPass guest operator logins

    Posted Mar 04, 2014 06:53 AM

    You can return a role name from CPPM to CPG but you still need to map the expression in CPG. 

     

    For example, we are returning a student role from CPPM using our campus single sign on system for authentication and LDAP for authorization.

     

    We're sending the attribute admin_privileges with a value of CPG-Brandeis-Student which assigns the operator profile of Brandeis Student. CPPM has no concept of an operator profile which is why it needs to be mapped.

     

    cpg-brandeis-student.PNG

     

    cpg-brandeis-student-sso.PNG

     

     

     

     

     



  • 5.  RE: ClearPass guest operator logins

    Posted Mar 04, 2014 09:26 AM

    hi tim,

     

    Did you copy the original [Guest Operator Logins] service and edit it?



  • 6.  RE: ClearPass guest operator logins

    Posted Mar 04, 2014 09:28 AM

    No, I created everything from scratch since the CPPM configuration for SAML/SSO is a bit different.



  • 7.  RE: ClearPass guest operator logins

    Posted Mar 04, 2014 09:42 AM

    cool - so CPPM > match DB > TIPS role map  > SSO role attribute value > CPG translattion map based on attibute > CPG role

     

    sound right? (I still have more questions - thanks a mill BTW)



  • 8.  RE: ClearPass guest operator logins

    Posted Mar 04, 2014 01:35 PM

    Tim,

     

    Finally got it (after some troubleshooting and quite office time)

     

    you are completely correct - and thanks very much for your help - this is not the first time you have helped me out so it's much appreciated

     

    you seem to have well and truly earned that MVP status!

     

    all the best

    nik



  • 9.  RE: ClearPass guest operator logins

    Posted Mar 04, 2014 01:56 PM

    Sorry for the delay! Glad you got it working!