Security

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

I can add some screens. Here I try to use the default CPPM admin credentials:



And theres no Access Tracker entry. 

V.
Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy. 
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

Hi Jonas,

Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


But when I try to login, theres only that result:


And no deny entry in Access Tracker, it is just empty:


Only entry in logs is in the Event Viewer:


So it looks like the Guest module didnt send any authentication request to Policy Manager.

I think it is more clear now.

V.
Original Message:
Sent: Nov 29, 2022 09:56 AM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy.
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

Hi

I think the request is sent, as you get the warning in the Event viewer. Some admin login attempts are only logged in the Event viewer, not in Access Tracker. But I can't recall exactly in what situation that occur.
The default Guest Operator Service should handle this request. Can you remove the filter from the Access Tracker and see if you can find it, or filter on Source = Application instead of the user name.

If you are logged in to the Policy Manager GUI I assume that you can access the Guest GUI by either select Guest from the hamburger meny in the top right corner or by clicking the ClearPass Guest link under Quick links in the Dashboard.

Do you have any information under the application log, found under ClearPass Guest Administration\Support\Application Log

Do you still have default Translation rules under Administation\Operator Logins\Translation Rules?


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Nov 29, 2022 01:25 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Jonas,

Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


But when I try to login, theres only that result:


And no deny entry in Access Tracker, it is just empty:


Only entry in logs is in the Event Viewer:


So it looks like the Guest module didnt send any authentication request to Policy Manager.

I think it is more clear now.

V.
Original Message:
Sent: Nov 29, 2022 09:56 AM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy.
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

Hi,

Yes I can access Guest from the hamburger menu, but I will need to authenticate operators in th future, so I have to solve this issue.

Translation Rules are in default state:


And in the Application log I can see the login attempts:



Username and password are correct, I'm using it to login to Policy Manager. And admin is member of Admin User Repository. Theres still no entry in Access Tracker. There are only some attempts from Captive portal login:


And I set the logging level to Log all access in Operator Logins/Login Configuration:

It is really strange situation.

Thanks

Vaclav

Original Message:
Sent: Nov 29, 2022 04:28 PM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi

I think the request is sent, as you get the warning in the Event viewer. Some admin login attempts are only logged in the Event viewer, not in Access Tracker. But I can't recall exactly in what situation that occur.
The default Guest Operator Service should handle this request. Can you remove the filter from the Access Tracker and see if you can find it, or filter on Source = Application instead of the user name.

If you are logged in to the Policy Manager GUI I assume that you can access the Guest GUI by either select Guest from the hamburger meny in the top right corner or by clicking the ClearPass Guest link under Quick links in the Dashboard.

Do you have any information under the application log, found under ClearPass Guest Administration\Support\Application Log

Do you still have default Translation rules under Administation\Operator Logins\Translation Rules?


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 01:25 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Jonas,

Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


But when I try to login, theres only that result:


And no deny entry in Access Tracker, it is just empty:


Only entry in logs is in the Event Viewer:


So it looks like the Guest module didnt send any authentication request to Policy Manager.

I think it is more clear now.

V.
Original Message:
Sent: Nov 29, 2022 09:56 AM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy.
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

generally I always create new operate login service and with this service i always get the entries in the access tracker.
just copy the default [Guest Operator Logins] and rename it, then add your auth source like AD, etc as well.
then you can create your own enforcement pol. Here are the rules for allowing access for local admin users that are define in CPPM to have access to guest side of CPPM.

now when i use a different browser to login to https://<clearpass-ip-addr>/guest and login with local admin creds, i get that entry in access tracker.




------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Nov 29, 2022 05:17 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi,

Yes I can access Guest from the hamburger menu, but I will need to authenticate operators in th future, so I have to solve this issue.

Translation Rules are in default state:


And in the Application log I can see the login attempts:



Username and password are correct, I'm using it to login to Policy Manager. And admin is member of Admin User Repository. Theres still no entry in Access Tracker. There are only some attempts from Captive portal login:


And I set the logging level to Log all access in Operator Logins/Login Configuration:

It is really strange situation.

Thanks

Vaclav

Original Message:
Sent: Nov 29, 2022 04:28 PM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi

I think the request is sent, as you get the warning in the Event viewer. Some admin login attempts are only logged in the Event viewer, not in Access Tracker. But I can't recall exactly in what situation that occur.
The default Guest Operator Service should handle this request. Can you remove the filter from the Access Tracker and see if you can find it, or filter on Source = Application instead of the user name.

If you are logged in to the Policy Manager GUI I assume that you can access the Guest GUI by either select Guest from the hamburger meny in the top right corner or by clicking the ClearPass Guest link under Quick links in the Dashboard.

Do you have any information under the application log, found under ClearPass Guest Administration\Support\Application Log

Do you still have default Translation rules under Administation\Operator Logins\Translation Rules?


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 01:25 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Jonas,

Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


But when I try to login, theres only that result:


And no deny entry in Access Tracker, it is just empty:


Only entry in logs is in the Event Viewer:


So it looks like the Guest module didnt send any authentication request to Policy Manager.

I think it is more clear now.

V.
Original Message:
Sent: Nov 29, 2022 09:56 AM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy.
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

Hi Ariya,

Thanks for your tip, but there is still no progress. I created the copy of default [Guest Operator Logins] service: AB-test-Guest Operator Logins:


It is almost the same as the default policy, I added only the AD auth source, Role mapping and create new Policy with Profile:




But the login results are still the same.
User: admin, source: admin user repository:

Access tracker is empty:


Warning in Event Viewer:

Guest Application log:

When I try some AD user, there is the same result.

V.
Original Message:
Sent: Nov 29, 2022 07:58 PM
From: Ariya Parsamanesh
Subject: CPPM Guest - operator login

generally I always create new operate login service and with this service i always get the entries in the access tracker.
just copy the default [Guest Operator Logins] and rename it, then add your auth source like AD, etc as well.
then you can create your own enforcement pol. Here are the rules for allowing access for local admin users that are define in CPPM to have access to guest side of CPPM.

now when i use a different browser to login to https://<clearpass-ip-addr>/guest and login with local admin creds, i get that entry in access tracker.




------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Nov 29, 2022 05:17 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi,

Yes I can access Guest from the hamburger menu, but I will need to authenticate operators in th future, so I have to solve this issue.

Translation Rules are in default state:


And in the Application log I can see the login attempts:



Username and password are correct, I'm using it to login to Policy Manager. And admin is member of Admin User Repository. Theres still no entry in Access Tracker. There are only some attempts from Captive portal login:


And I set the logging level to Log all access in Operator Logins/Login Configuration:

It is really strange situation.

Thanks

Vaclav

Original Message:
Sent: Nov 29, 2022 04:28 PM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi

I think the request is sent, as you get the warning in the Event viewer. Some admin login attempts are only logged in the Event viewer, not in Access Tracker. But I can't recall exactly in what situation that occur.
The default Guest Operator Service should handle this request. Can you remove the filter from the Access Tracker and see if you can find it, or filter on Source = Application instead of the user name.

If you are logged in to the Policy Manager GUI I assume that you can access the Guest GUI by either select Guest from the hamburger meny in the top right corner or by clicking the ClearPass Guest link under Quick links in the Dashboard.

Do you have any information under the application log, found under ClearPass Guest Administration\Support\Application Log

Do you still have default Translation rules under Administation\Operator Logins\Translation Rules?


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 01:25 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Jonas,

Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


But when I try to login, theres only that result:


And no deny entry in Access Tracker, it is just empty:


Only entry in logs is in the Event Viewer:


So it looks like the Guest module didnt send any authentication request to Policy Manager.

I think it is more clear now.

V.
Original Message:
Sent: Nov 29, 2022 09:56 AM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy.
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

thats really strange.
see if you can login with a user in your AD, i just want to see if you'll get a access tracker entry, i also take it that you don't have a clearpass cluster.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Nov 30, 2022 06:44 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Ariya,

Thanks for your tip, but there is still no progress. I created the copy of default [Guest Operator Logins] service: AB-test-Guest Operator Logins:


It is almost the same as the default policy, I added only the AD auth source, Role mapping and create new Policy with Profile:




But the login results are still the same.
User: admin, source: admin user repository:

Access tracker is empty:


Warning in Event Viewer:

Guest Application log:

When I try some AD user, there is the same result.

V.
Original Message:
Sent: Nov 29, 2022 07:58 PM
From: Ariya Parsamanesh
Subject: CPPM Guest - operator login

generally I always create new operate login service and with this service i always get the entries in the access tracker.
just copy the default [Guest Operator Logins] and rename it, then add your auth source like AD, etc as well.
then you can create your own enforcement pol. Here are the rules for allowing access for local admin users that are define in CPPM to have access to guest side of CPPM.

now when i use a different browser to login to https://<clearpass-ip-addr>/guest and login with local admin creds, i get that entry in access tracker.




------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Nov 29, 2022 05:17 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi,

Yes I can access Guest from the hamburger menu, but I will need to authenticate operators in th future, so I have to solve this issue.

Translation Rules are in default state:


And in the Application log I can see the login attempts:



Username and password are correct, I'm using it to login to Policy Manager. And admin is member of Admin User Repository. Theres still no entry in Access Tracker. There are only some attempts from Captive portal login:


And I set the logging level to Log all access in Operator Logins/Login Configuration:

It is really strange situation.

Thanks

Vaclav

Original Message:
Sent: Nov 29, 2022 04:28 PM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi

I think the request is sent, as you get the warning in the Event viewer. Some admin login attempts are only logged in the Event viewer, not in Access Tracker. But I can't recall exactly in what situation that occur.
The default Guest Operator Service should handle this request. Can you remove the filter from the Access Tracker and see if you can find it, or filter on Source = Application instead of the user name.

If you are logged in to the Policy Manager GUI I assume that you can access the Guest GUI by either select Guest from the hamburger meny in the top right corner or by clicking the ClearPass Guest link under Quick links in the Dashboard.

Do you have any information under the application log, found under ClearPass Guest Administration\Support\Application Log

Do you still have default Translation rules under Administation\Operator Logins\Translation Rules?


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 01:25 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Jonas,

Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


But when I try to login, theres only that result:


And no deny entry in Access Tracker, it is just empty:


Only entry in logs is in the Event Viewer:


So it looks like the Guest module didnt send any authentication request to Policy Manager.

I think it is more clear now.

V.
Original Message:
Sent: Nov 29, 2022 09:56 AM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy.
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav

As I said, its still the same with AD user or with local CPPM user. I think I'll contact the TAC with this issue.

Original Message:
Sent: Nov 30, 2022 04:51 PM
From: Ariya Parsamanesh
Subject: CPPM Guest - operator login

thats really strange.
see if you can login with a user in your AD, i just want to see if you'll get a access tracker entry, i also take it that you don't have a clearpass cluster.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Nov 30, 2022 06:44 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Ariya,

Thanks for your tip, but there is still no progress. I created the copy of default [Guest Operator Logins] service: AB-test-Guest Operator Logins:


It is almost the same as the default policy, I added only the AD auth source, Role mapping and create new Policy with Profile:




But the login results are still the same.
User: admin, source: admin user repository:

Access tracker is empty:


Warning in Event Viewer:

Guest Application log:

When I try some AD user, there is the same result.

V.
Original Message:
Sent: Nov 29, 2022 07:58 PM
From: Ariya Parsamanesh
Subject: CPPM Guest - operator login

generally I always create new operate login service and with this service i always get the entries in the access tracker.
just copy the default [Guest Operator Logins] and rename it, then add your auth source like AD, etc as well.
then you can create your own enforcement pol. Here are the rules for allowing access for local admin users that are define in CPPM to have access to guest side of CPPM.

now when i use a different browser to login to https://<clearpass-ip-addr>/guest and login with local admin creds, i get that entry in access tracker.




------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: Nov 29, 2022 05:17 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi,

Yes I can access Guest from the hamburger menu, but I will need to authenticate operators in th future, so I have to solve this issue.

Translation Rules are in default state:


And in the Application log I can see the login attempts:



Username and password are correct, I'm using it to login to Policy Manager. And admin is member of Admin User Repository. Theres still no entry in Access Tracker. There are only some attempts from Captive portal login:


And I set the logging level to Log all access in Operator Logins/Login Configuration:

It is really strange situation.

Thanks

Vaclav

Original Message:
Sent: Nov 29, 2022 04:28 PM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi

I think the request is sent, as you get the warning in the Event viewer. Some admin login attempts are only logged in the Event viewer, not in Access Tracker. But I can't recall exactly in what situation that occur.
The default Guest Operator Service should handle this request. Can you remove the filter from the Access Tracker and see if you can find it, or filter on Source = Application instead of the user name.

If you are logged in to the Policy Manager GUI I assume that you can access the Guest GUI by either select Guest from the hamburger meny in the top right corner or by clicking the ClearPass Guest link under Quick links in the Dashboard.

Do you have any information under the application log, found under ClearPass Guest Administration\Support\Application Log

Do you still have default Translation rules under Administation\Operator Logins\Translation Rules?


------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 01:25 PM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi Jonas,

Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


But when I try to login, theres only that result:


And no deny entry in Access Tracker, it is just empty:


Only entry in logs is in the Event Viewer:


So it looks like the Guest module didnt send any authentication request to Policy Manager.

I think it is more clear now.

V.
Original Message:
Sent: Nov 29, 2022 09:56 AM
From: Jonas Hammarback
Subject: CPPM Guest - operator login

Hi Vaclav

You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
The operator profile name is case sensitive, so use copy paste to avoid typos.

When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

Detailed steps below:
Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy.
Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.

------------------------------
Best Regards
Jonas Hammarbäck
ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Nov 29, 2022 08:46 AM
From: Vaclav Hauser
Subject: CPPM Guest - operator login

Hi all experts,
I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

Do you have any idea what can be wrong with Guest module?

Thanks and best regards

Vaclav