Security

Hello Community!

I'm using the Guest DB to authenticate many Guest users onto wireless with their own roles (it's a suite-based deployment, each suite/tenant gets their own account) - I want to grant them access to the Guest dashboard to be able to register other devices. These accounts can log in, but every device they register inherits the default role_id ([Guest]) from the form mactrac_create. Is there a way to automatically insert the role id into that field based on the role of the user that is logged in to register the device? (ie. tenant1 logs into Device Registration, registers a new mac and it gets the role tenant1?) I'd ideally like to be able to do this without creating individual device operator profiles for each role, as this is a deployment with hundreds of suites/tenants.

On the wireless side there are 2 SSIDs (1 PEAP-based 802.1X and 1 MPSK-based). I'm using role-to-role firewall rules inside PEF to allow only like roles to communicate with other so that I don't have to also create hundreds of VLANs on the controller to support the solution. This is working great, just the self-service device registration is the only point I'm struggling with.

Any ideas/suggestions?

Thanks in advance,
Tim

------------------------------
Tim Friesen
------------------------------

If the role name and Sponsor Name are the same you could just use the %{Authorization:[Guest Device Repository]:SponsorName} variable. 


Original Message:
Sent: May 21, 2021 12:32 PM
From: Tim Friesen
Subject: Guest Deployment with many Roles and Self-serve Device Registration

Hello Community!

I'm using the Guest DB to authenticate many Guest users onto wireless with their own roles (it's a suite-based deployment, each suite/tenant gets their own account) - I want to grant them access to the Guest dashboard to be able to register other devices. These accounts can log in, but every device they register inherits the default role_id ([Guest]) from the form mactrac_create. Is there a way to automatically insert the role id into that field based on the role of the user that is logged in to register the device? (ie. tenant1 logs into Device Registration, registers a new mac and it gets the role tenant1?) I'd ideally like to be able to do this without creating individual device operator profiles for each role, as this is a deployment with hundreds of suites/tenants.

On the wireless side there are 2 SSIDs (1 PEAP-based 802.1X and 1 MPSK-based). I'm using role-to-role firewall rules inside PEF to allow only like roles to communicate with other so that I don't have to also create hundreds of VLANs on the controller to support the solution. This is working great, just the self-service device registration is the only point I'm struggling with.

Any ideas/suggestions?

Thanks in advance,
Tim

------------------------------
Tim Friesen
------------------------------

Back in 2017 I put this conceptual pseudo-multi-tenacy solution together. This was never deployed. This is not explicitly doing what you want, but it's not far off. Hopefully it gives some pointers.

------------------------------
Derin Mellor
------------------------------

Original Message:
Sent: May 21, 2021 12:32 PM
From: Tim Friesen
Subject: Guest Deployment with many Roles and Self-serve Device Registration

Hello Community!

I'm using the Guest DB to authenticate many Guest users onto wireless with their own roles (it's a suite-based deployment, each suite/tenant gets their own account) - I want to grant them access to the Guest dashboard to be able to register other devices. These accounts can log in, but every device they register inherits the default role_id ([Guest]) from the form mactrac_create. Is there a way to automatically insert the role id into that field based on the role of the user that is logged in to register the device? (ie. tenant1 logs into Device Registration, registers a new mac and it gets the role tenant1?) I'd ideally like to be able to do this without creating individual device operator profiles for each role, as this is a deployment with hundreds of suites/tenants.

On the wireless side there are 2 SSIDs (1 PEAP-based 802.1X and 1 MPSK-based). I'm using role-to-role firewall rules inside PEF to allow only like roles to communicate with other so that I don't have to also create hundreds of VLANs on the controller to support the solution. This is working great, just the self-service device registration is the only point I'm struggling with.

Any ideas/suggestions?

Thanks in advance,
Tim

------------------------------
Tim Friesen
------------------------------

Thanks a lot for sharing that pptx, Derin. There's a lot of good information in there and I'll definitely steal a couple ideas.

In the end though, what I was hoping for was a way to pre-populate the role_id field inside the mactrac_create form that is based on the role id of the tenant that logs into the CPG dashboard for device creation. It looks like you're using separate operator profiles in your solution, which I know will work - I was just hoping to avoid creating 300+ operator profiles (1 for each tenant).

I'll keep playing around but I definitely saw some things in your powerpoint that I liked, so thanks again!

------------------------------
Tim Friesen
------------------------------

Original Message:
Sent: May 24, 2021 04:28 AM
From: Derin Mellor
Subject: Guest Deployment with many Roles and Self-serve Device Registration

Back in 2017 I put this conceptual pseudo-multi-tenacy solution together. This was never deployed. This is not explicitly doing what you want, but it's not far off. Hopefully it gives some pointers.

------------------------------
Derin Mellor

Original Message:
Sent: May 21, 2021 12:32 PM
From: Tim Friesen
Subject: Guest Deployment with many Roles and Self-serve Device Registration

Hello Community!

I'm using the Guest DB to authenticate many Guest users onto wireless with their own roles (it's a suite-based deployment, each suite/tenant gets their own account) - I want to grant them access to the Guest dashboard to be able to register other devices. These accounts can log in, but every device they register inherits the default role_id ([Guest]) from the form mactrac_create. Is there a way to automatically insert the role id into that field based on the role of the user that is logged in to register the device? (ie. tenant1 logs into Device Registration, registers a new mac and it gets the role tenant1?) I'd ideally like to be able to do this without creating individual device operator profiles for each role, as this is a deployment with hundreds of suites/tenants.

On the wireless side there are 2 SSIDs (1 PEAP-based 802.1X and 1 MPSK-based). I'm using role-to-role firewall rules inside PEF to allow only like roles to communicate with other so that I don't have to also create hundreds of VLANs on the controller to support the solution. This is working great, just the self-service device registration is the only point I'm struggling with.

Any ideas/suggestions?

Thanks in advance,
Tim

------------------------------
Tim Friesen
------------------------------