Security

Dear All,

currently in our environment of aruba wireless, we would like to deploy 2 ssid open captive portal, but different vlan, and to achieve this, we duplicate field of role_id exactly the same with the original, and only to change the validator,

but after we enable role_id_1, and disable role_id, clearpass could not determine role id for user

as we know the initial of original role_id is 2 but its empty on the field validator, we change it to 5, but the authentication still working fine after we roll back to original role_id,

could you please inform us where is the configuration , so the captive portal page could use the role_id_1 (duplicate one)

Hi

I don't fully understand what you are trying to do, but I think you should not do it in this way as the role_id attribute is utilized in a lot of logic in ClearPass. When you select the role in the drop down the matching role id is written to the attribute role_id, if you disable this attribute the role can't be saved.

Is the intention to have two captive portal pages or is your intention to control the VLAN assignment for the user by selecting the Account Role in the drop down?

Dear All,

currently in our environment of aruba wireless, we would like to deploy 2 ssid open captive portal, but different vlan, and to achieve this, we duplicate field of role_id exactly the same with the original, and only to change the validator,

but after we enable role_id_1, and disable role_id, clearpass could not determine role id for user

as we know the initial of original role_id is 2 but its empty on the field validator, we change it to 5, but the authentication still working fine after we roll back to original role_id,

could you please inform us where is the configuration , so the captive portal page could use the role_id_1 (duplicate one)

Dear Jonas,

yes, we would like to disable the original one, and make 2 duplicate of it, 

1 for captive portal with guest role,

1 for captive portal with internal staff role,

is it possible?

Hi

I don't fully understand what you are trying to do, but I think you should not do it in this way as the role_id attribute is utilized in a lot of logic in ClearPass. When you select the role in the drop down the matching role id is written to the attribute role_id, if you disable this attribute the role can't be saved.

Is the intention to have two captive portal pages or is your intention to control the VLAN assignment for the user by selecting the Account Role in the drop down?

Dear All,

currently in our environment of aruba wireless, we would like to deploy 2 ssid open captive portal, but different vlan, and to achieve this, we duplicate field of role_id exactly the same with the original, and only to change the validator,

but after we enable role_id_1, and disable role_id, clearpass could not determine role id for user

as we know the initial of original role_id is 2 but its empty on the field validator, we change it to 5, but the authentication still working fine after we roll back to original role_id,

could you please inform us where is the configuration , so the captive portal page could use the role_id_1 (duplicate one)

Hi

The way you try to implement this is wrong. You can't add a new attribute to a form to replace one of the important attributes, at least not without a lot of customizations.

You should instead just work with different values of the attribute for each account. Normally you don't create guest accounts for employees, for BYOD scenarios a better option can be ClearPass Onboard. Or, utilize a guest login page where the employees can authenticate with their AD credentials, or create a Single Sign-On page to authenticate with SAML for employees.

But assuming you still would like to create guest accounts for employees and place them on different VLAN's you need to do the following.

First you have to create the roles in the Policy Manager part under Configuration\Identity\Roles. In your case it could be:

• Pelindo Guest
• Pelindo Employee

Edit the role mapping policy [Guest Roles] and add two new rules like the one below:

(GuestUser:Role ID EQUALS 3001) Pelindo Guest

(GuestUser:Role ID EQUALS 3002) Pelindo Employee

The numbers 3001 and 3002 can be anything, but I always start on a high number. This role mapping policy edit will make the new roles available to select for user accounts during registration. The number for each role is written to the attribute role_id during guest registration.

I don't understand how you plan to direct guests and employees to different captive portal pages during registration. Do you have a landing page or links to the other page?

In any case, the drop down Account Role, you have already added as in your first screenshot, is the field that will write the role_id number based on the selected role.

In the Policy Manager Service for guest authentication you have to have matching rules to read the GuestUser:Role ID attribute and assign the corresponding rules during authentication.

(GuestUser:Role ID EQUALS 3001) Pelindo Guest

(GuestUser:Role ID EQUALS 3002) Pelindo Employee

In the Enforcement policy you return the correct VLAN for each role.

Dear Jonas,

yes, we would like to disable the original one, and make 2 duplicate of it, 

1 for captive portal with guest role,

1 for captive portal with internal staff role,

is it possible?

Hi

I don't fully understand what you are trying to do, but I think you should not do it in this way as the role_id attribute is utilized in a lot of logic in ClearPass. When you select the role in the drop down the matching role id is written to the attribute role_id, if you disable this attribute the role can't be saved.

Is the intention to have two captive portal pages or is your intention to control the VLAN assignment for the user by selecting the Account Role in the drop down?

Dear All,

currently in our environment of aruba wireless, we would like to deploy 2 ssid open captive portal, but different vlan, and to achieve this, we duplicate field of role_id exactly the same with the original, and only to change the validator,

but after we enable role_id_1, and disable role_id, clearpass could not determine role id for user

as we know the initial of original role_id is 2 but its empty on the field validator, we change it to 5, but the authentication still working fine after we roll back to original role_id,

could you please inform us where is the configuration , so the captive portal page could use the role_id_1 (duplicate one)