Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass guest sponsored approval

This thread has been viewed 15 times
  • 1.  ClearPass guest sponsored approval

    Posted Feb 17, 2024 05:19 AM

    Hi everyone,

    I'm trying to setup a captive portal guest with sposored mail approval which i managed to do. But, the issue is when a guest put his sponsor mail, he can put any email, and the SMTP server send the request to that email which is not the way i want it because is not secure 

    For exemple, if the guest put his second email as a sponsored mail, he will receive a request in his second email and he can accept it .

    I saw there is way to put a list of approvals email in advance but not easy with big company (do i need to write down one by one ? 

    There is i think a way as well to make a policy for the approvals person if we configure the specific domain name as approvals but it's not possible for me (our company have many domain name internal + external), even i setup those domain name, it's not possible because if a guest has the same domain name with an external salary , it will not work .

    There is an option which i need a confirmation from a Clearpass Professionnal to make this easey: 

    The approval person needs to connect to the same Wi-Fi (not necessary same SSID) to confirm his guest request ? because i think the approval person when is confirming his guest request, the url confirmation in the email is starting with the captive portal wi-fi guest

    So, if it's yes, then i have my answer for all my questions 

    So please any advise will be more than welcome

    Thank you so much



    ------------------------------
    Ali
    Cybersecurity Consultant
    ------------------------------


  • 2.  RE: ClearPass guest sponsored approval

    Posted Feb 17, 2024 09:20 AM

    Hi Ali

    To enable authentication for sponsors to ClearPass before approving the guest accounts you check the second checkbox on the Sponsor approval configuration page.

    In addition to this, you need to prepare valid guest operator profiles for the users to so they get the correct privileges. Authentication can be done with AD connections or SAML if you have a federation service internally.

    Create a custom Guest Operator Login service, mapping AD users to your Guest Operator Profile.

    If you have multiple AD domains all of them should be added to the guest operator login service.

    Below is an explanation how to restrict possible sponsor approval email domains, even though it's not fully applicable in your case.

    Edit the fields of the form of the guest registration page.

    For sponsor_email add a validator argument

    array (
      'allow' => 
      array (
        0 => 'domain1.com',
        1 => 'domain2.com',
      ),
      'deny' => 
      array (
      ),
    )



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass guest sponsored approval

    Posted Feb 18, 2024 09:47 AM
      |   view attached

    Hi Jonas, 

    Thank you for your answer and sorry to my late reply.

    As i said in the top of my request, i'm a new one to the ClearPass environnment, so when you are talking about AD connections and SAML, i don't know what does mean even where can i find this parameter. 

    When you said "you check the second checkbox on the Sponsor approval configuration page" are you reffering to the authentication box : require sponsor to provide credentials prior to sponsoring ? please see the attached file 

    Thnak you 



    ------------------------------
    Ali
    Cybersecurity Consultant
    ------------------------------



  • 4.  RE: ClearPass guest sponsored approval

    Posted Feb 18, 2024 03:22 PM

    Hi Ali

    Yes, you should check the checkbox for "Require sponsors to provide credentials prior to sponsoring", but to be able to authentication you must connect to a corporate directory so the users can authenticate with the usernames from the internal network.

    As you work in a large company, I assume you have Active Directory as this is the most common internal directory, but you may have another LDAP directory or user directory.

    Configuration of LDAP connection is done in the Policy Manager part of ClearPass under Configuration\Authentication\Sources and after this you need to configure a Guest Operator Login Service.

    Check out the video series by @Herman Robers in the Airheads Broadcasting channel on Youtube. This link will take you to the 802.1x part with AD integration, but take a look of all of them:
    https://www.youtube.com/watch?v=pY2EnRioUVY&list=PLsYGHuNuBZcbZPEku1zxkfpn2k_O_MENo&index=7

    For SAML instructions there are an old document on the support site, but I think it's still valid:
    https://support.hpe.com/hpesc/public/docDisplay?docId=a00100369en_us

    ClearPass is a quite complex product and the number of options and possible ways to do things can be overwhelming in the beginning. I would recommend contacting a local Aruba partner with deep ClearPass knowledge or the local Aruba SE team to get help to do an initial configuration based on your needs and your specific environment. 

    I would also recommend following the hardening guide to remove the access to the guest operator pages and Policy Manager for guests.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 5.  RE: ClearPass guest sponsored approval

    Posted Feb 19, 2024 01:58 AM

    Hi Jonas,

    I'll have a look for all the links you gave me.

    Thank you for everything 



    ------------------------------
    Ali
    Cybersecurity Consultant
    ------------------------------