Security

 View Only
last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

CPPM Guest - operator login

This thread has been viewed 35 times
  • 1.  CPPM Guest - operator login

    Posted Nov 29, 2022 08:46 AM
    Hi all experts,
    I was testing the external authentication operator login to CPPM Guest and when I removed the Operator login LDAP server from the Servers list I cant login with any operator username from local repositories (admin, local) from Policy Manager. It looks like the Guest application doesnt send any auth request to Policy Manager.

    Theres no Access Tracker entry and in Event Viewer shows only warning message "Login Failed".

    Do you have any idea what can be wrong with Guest module?

    Thanks and best regards

    Vaclav


  • 2.  RE: CPPM Guest - operator login

    Posted Nov 29, 2022 09:23 AM
    I can add some screens. Here I try to use the default CPPM admin credentials:



    And theres no Access Tracker entry. 

    V.


  • 3.  RE: CPPM Guest - operator login

    Posted Nov 29, 2022 09:56 AM
    Hi Vaclav

    You don't need a Operator login LDAP server to authenticate operator logins. Instead configure a service under Policy Manager. I often create a copy of the default service for operator logins, [Guest Operator Logins]. Add the AD as authentication source and create role mapping rules based on the AD groups and then Enforcement policy sending the correct Operator profile names in attribute admin_privileges.
    The operator profile name is case sensitive, so use copy paste to avoid typos.

    When sending the exact operator profile name in the attribute admin_privileges there are already a translation rule that maps the value of the attribute to the profile. So no need for additional translation rules.

    Detailed steps below:
    Start with the creation of your operator profiles and set the needed permissions, this will also create roles in the Policy Manager side to utilize in the role mapping policy. 
    Continue to create the enforcement profiles needed. An easy way to create the correct type with correct attribute is to copy [Operator Login - Admin Users] and change the name and the value for the attribute.
    After this create a role mapping policy assigning the roles based on LDAP group membership or any other set of attributes. Assign the roles created automatically when the operator profile was created.
    Continue with a new enforcement policy assigning the different enforcement profiles based on the roles.
    Finally assign your new role mapping and enforcemement policy to the new service for operator logins.
    The default operator login service must be disabled or moved below your new service, otherwise the default service will capture the login requests instead of your service.

    As I recall the Operator login LDAP server settings is an old way to handle operator logins, a relic from the past left to provide backward compability.


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 4.  RE: CPPM Guest - operator login

    Posted Nov 29, 2022 01:26 PM
    Hi Jonas,

    Thanks for your reply, but its not my problem now. I can't login to CPPM Guest module with any credentials (admin repository, local repository). In Policy Manager I have default [Guest Operator Logins] service enabled:


    But when I try to login, theres only that result:


    And no deny entry in Access Tracker, it is just empty:


    Only entry in logs is in the Event Viewer:


    So it looks like the Guest module didnt send any authentication request to Policy Manager.

    I think it is more clear now.

    V.


  • 5.  RE: CPPM Guest - operator login

    Posted Nov 29, 2022 04:28 PM
    Hi

    I think the request is sent, as you get the warning in the Event viewer. Some admin login attempts are only logged in the Event viewer, not in Access Tracker. But I can't recall exactly in what situation that occur.
    The default Guest Operator Service should handle this request. Can you remove the filter from the Access Tracker and see if you can find it, or filter on Source = Application instead of the user name.

    If you are logged in to the Policy Manager GUI I assume that you can access the Guest GUI by either select Guest from the hamburger meny in the top right corner or by clicking the ClearPass Guest link under Quick links in the Dashboard.

    Do you have any information under the application log, found under ClearPass Guest Administration\Support\Application Log

    Do you still have default Translation rules under Administation\Operator Logins\Translation Rules?


    ------------------------------
    Best Regards
    Jonas Hammarbäck
    ACCX #1335, ACMP, ACDP, ACNSP, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 6.  RE: CPPM Guest - operator login

    Posted Nov 29, 2022 05:17 PM
    Hi,

    Yes I can access Guest from the hamburger menu, but I will need to authenticate operators in th future, so I have to solve this issue.

    Translation Rules are in default state:


    And in the Application log I can see the login attempts:



    Username and password are correct, I'm using it to login to Policy Manager. And admin is member of Admin User Repository. Theres still no entry in Access Tracker. There are only some attempts from Captive portal login:


    And I set the logging level to Log all access in Operator Logins/Login Configuration:

    It is really strange situation.

    Thanks

    Vaclav



  • 7.  RE: CPPM Guest - operator login

    EMPLOYEE
    Posted Nov 29, 2022 07:58 PM
    generally I always create new operate login service and with this service i always get the entries in the access tracker.
    just copy the default [Guest Operator Logins] and rename it, then add your auth source like AD, etc as well.
    then you can create your own enforcement pol. Here are the rules for allowing access for local admin users that are define in CPPM to have access to guest side of CPPM.

    now when i use a different browser to login to https://<clearpass-ip-addr>/guest and login with local admin creds, i get that entry in access tracker.




    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 8.  RE: CPPM Guest - operator login

    Posted Nov 30, 2022 06:44 AM
    Hi Ariya,

    Thanks for your tip, but there is still no progress. I created the copy of default [Guest Operator Logins] service: AB-test-Guest Operator Logins:


    It is almost the same as the default policy, I added only the AD auth source, Role mapping and create new Policy with Profile:




    But the login results are still the same.
    User: admin, source: admin user repository:

    Access tracker is empty:


    Warning in Event Viewer:

    Guest Application log:

    When I try some AD user, there is the same result.

    V.


  • 9.  RE: CPPM Guest - operator login

    EMPLOYEE
    Posted Nov 30, 2022 04:51 PM
    thats really strange.
    see if you can login with a user in your AD, i just want to see if you'll get a access tracker entry, i also take it that you don't have a clearpass cluster.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 10.  RE: CPPM Guest - operator login

    Posted Dec 01, 2022 05:52 AM
    As I said, its still the same with AD user or with local CPPM user. I think I'll contact the TAC with this issue.