Security

Hi everyone,

I'm trying to setup a captive portal guest with sposored mail approval which i managed to do. But, the issue is when a guest put his sponsor mail, he can put any email, and the SMTP server send the request to that email which is not the way i want it because is not secure 

For exemple, if the guest put his second email as a sponsored mail, he will receive a request in his second email and he can accept it .

I saw there is way to put a list of approvals email in advance but not easy with big company (do i need to write down one by one ? 

There is i think a way as well to make a policy for the approvals person if we configure the specific domain name as approvals but it's not possible for me (our company have many domain name internal + external), even i setup those domain name, it's not possible because if a guest has the same domain name with an external salary , it will not work .

There is an option which i need a confirmation from a Clearpass Professionnal to make this easey: 

The approval person needs to connect to the same Wi-Fi (not necessary same SSID) to confirm his guest request ? because i think the approval person when is confirming his guest request, the url confirmation in the email is starting with the captive portal wi-fi guest

So, if it's yes, then i have my answer for all my questions 

So please any advise will be more than welcome

Thank you so much

Hi Ali

To enable authentication for sponsors to ClearPass before approving the guest accounts you check the second checkbox on the Sponsor approval configuration page.

In addition to this, you need to prepare valid guest operator profiles for the users to so they get the correct privileges. Authentication can be done with AD connections or SAML if you have a federation service internally.

Create a custom Guest Operator Login service, mapping AD users to your Guest Operator Profile.

If you have multiple AD domains all of them should be added to the guest operator login service.

Below is an explanation how to restrict possible sponsor approval email domains, even though it's not fully applicable in your case.

Edit the fields of the form of the guest registration page.

For sponsor_email add a validator argument

array (
  'allow' => 
  array (
    0 => 'domain1.com',
    1 => 'domain2.com',
  ),
  'deny' => 
  array (
  ),
)

Hi everyone,

I'm trying to setup a captive portal guest with sposored mail approval which i managed to do. But, the issue is when a guest put his sponsor mail, he can put any email, and the SMTP server send the request to that email which is not the way i want it because is not secure 

For exemple, if the guest put his second email as a sponsored mail, he will receive a request in his second email and he can accept it .

I saw there is way to put a list of approvals email in advance but not easy with big company (do i need to write down one by one ? 

There is i think a way as well to make a policy for the approvals person if we configure the specific domain name as approvals but it's not possible for me (our company have many domain name internal + external), even i setup those domain name, it's not possible because if a guest has the same domain name with an external salary , it will not work .

There is an option which i need a confirmation from a Clearpass Professionnal to make this easey: 

The approval person needs to connect to the same Wi-Fi (not necessary same SSID) to confirm his guest request ? because i think the approval person when is confirming his guest request, the url confirmation in the email is starting with the captive portal wi-fi guest

So, if it's yes, then i have my answer for all my questions 

So please any advise will be more than welcome

Thank you so much

Hi Jonas, 

Thank you for your answer and sorry to my late reply.

As i said in the top of my request, i'm a new one to the ClearPass environnment, so when you are talking about AD connections and SAML, i don't know what does mean even where can i find this parameter. 

When you said "you check the second checkbox on the Sponsor approval configuration page" are you reffering to the authentication box : require sponsor to provide credentials prior to sponsoring ? please see the attached file 

Thnak you 

Hi Ali

To enable authentication for sponsors to ClearPass before approving the guest accounts you check the second checkbox on the Sponsor approval configuration page.

In addition to this, you need to prepare valid guest operator profiles for the users to so they get the correct privileges. Authentication can be done with AD connections or SAML if you have a federation service internally.

Create a custom Guest Operator Login service, mapping AD users to your Guest Operator Profile.

If you have multiple AD domains all of them should be added to the guest operator login service.

Below is an explanation how to restrict possible sponsor approval email domains, even though it's not fully applicable in your case.

Edit the fields of the form of the guest registration page.

For sponsor_email add a validator argument

array (
  'allow' => 
  array (
    0 => 'domain1.com',
    1 => 'domain2.com',
  ),
  'deny' => 
  array (
  ),
)

Hi everyone,

I'm trying to setup a captive portal guest with sposored mail approval which i managed to do. But, the issue is when a guest put his sponsor mail, he can put any email, and the SMTP server send the request to that email which is not the way i want it because is not secure 

For exemple, if the guest put his second email as a sponsored mail, he will receive a request in his second email and he can accept it .

I saw there is way to put a list of approvals email in advance but not easy with big company (do i need to write down one by one ? 

There is i think a way as well to make a policy for the approvals person if we configure the specific domain name as approvals but it's not possible for me (our company have many domain name internal + external), even i setup those domain name, it's not possible because if a guest has the same domain name with an external salary , it will not work .

There is an option which i need a confirmation from a Clearpass Professionnal to make this easey: 

The approval person needs to connect to the same Wi-Fi (not necessary same SSID) to confirm his guest request ? because i think the approval person when is confirming his guest request, the url confirmation in the email is starting with the captive portal wi-fi guest

So, if it's yes, then i have my answer for all my questions 

So please any advise will be more than welcome

Thank you so much

Hi Ali

Yes, you should check the checkbox for "Require sponsors to provide credentials prior to sponsoring", but to be able to authentication you must connect to a corporate directory so the users can authenticate with the usernames from the internal network.

As you work in a large company, I assume you have Active Directory as this is the most common internal directory, but you may have another LDAP directory or user directory.

Configuration of LDAP connection is done in the Policy Manager part of ClearPass under Configuration\Authentication\Sources and after this you need to configure a Guest Operator Login Service.

Check out the video series by @Herman Robers in the Airheads Broadcasting channel on Youtube. This link will take you to the 802.1x part with AD integration, but take a look of all of them:
https://www.youtube.com/watch?v=pY2EnRioUVY&list=PLsYGHuNuBZcbZPEku1zxkfpn2k_O_MENo&index=7

For SAML instructions there are an old document on the support site, but I think it's still valid:
https://support.hpe.com/hpesc/public/docDisplay?docId=a00100369en_us

ClearPass is a quite complex product and the number of options and possible ways to do things can be overwhelming in the beginning. I would recommend contacting a local Aruba partner with deep ClearPass knowledge or the local Aruba SE team to get help to do an initial configuration based on your needs and your specific environment. 

I would also recommend following the hardening guide to remove the access to the guest operator pages and Policy Manager for guests.

Hi Jonas, 

Thank you for your answer and sorry to my late reply.

As i said in the top of my request, i'm a new one to the ClearPass environnment, so when you are talking about AD connections and SAML, i don't know what does mean even where can i find this parameter. 

When you said "you check the second checkbox on the Sponsor approval configuration page" are you reffering to the authentication box : require sponsor to provide credentials prior to sponsoring ? please see the attached file 

Thnak you 

Hi Ali

To enable authentication for sponsors to ClearPass before approving the guest accounts you check the second checkbox on the Sponsor approval configuration page.

In addition to this, you need to prepare valid guest operator profiles for the users to so they get the correct privileges. Authentication can be done with AD connections or SAML if you have a federation service internally.

Create a custom Guest Operator Login service, mapping AD users to your Guest Operator Profile.

If you have multiple AD domains all of them should be added to the guest operator login service.

Below is an explanation how to restrict possible sponsor approval email domains, even though it's not fully applicable in your case.

Edit the fields of the form of the guest registration page.

For sponsor_email add a validator argument

array (
  'allow' => 
  array (
    0 => 'domain1.com',
    1 => 'domain2.com',
  ),
  'deny' => 
  array (
  ),
)

Hi everyone,

I'm trying to setup a captive portal guest with sposored mail approval which i managed to do. But, the issue is when a guest put his sponsor mail, he can put any email, and the SMTP server send the request to that email which is not the way i want it because is not secure 

For exemple, if the guest put his second email as a sponsored mail, he will receive a request in his second email and he can accept it .

I saw there is way to put a list of approvals email in advance but not easy with big company (do i need to write down one by one ? 

There is i think a way as well to make a policy for the approvals person if we configure the specific domain name as approvals but it's not possible for me (our company have many domain name internal + external), even i setup those domain name, it's not possible because if a guest has the same domain name with an external salary , it will not work .

There is an option which i need a confirmation from a Clearpass Professionnal to make this easey: 

The approval person needs to connect to the same Wi-Fi (not necessary same SSID) to confirm his guest request ? because i think the approval person when is confirming his guest request, the url confirmation in the email is starting with the captive portal wi-fi guest

So, if it's yes, then i have my answer for all my questions 

So please any advise will be more than welcome

Thank you so much