Security

Hi,

We use ClearPass Guest for device MAC registration. Our students and staff can manage their own devices, but have the filter in their operator profile set to be "Only show accounts created by the operator". This is what we want. But recently we switched from ADFS to AzureAD for Guest auth and it looks like now when someone registers a device the device shows as registered by (I think this is the 'sponsor_name' field) userid@domain rather than just userid. And when users go to view their devices it seems like they only see the devices that were registered recently (we have had people saying that their devices have 'disappeared', but admins can see them in the devices db). So we're guessing that since the Azure switch the authenticated user (or operator) is also being picked up as userid@domain, rather than just userid, and so the filter that is applied to their view of devices is only showing those devices that they created since the move to Azure.

Or at least we think that is what is happening.

If we're right then I guess one solution would be to script something to use the API to add @domain to the end of the sponsor_names for all the existing devices that were registered by just 'userid'. That's doable but seems a bit inelegant
But I was wondering if there is something smarter we can do in the operator filters, maybe use a regex so that the filter shows devices with sponsor_name of 'userid' and by 'userid@domain'

I see there is a User Account Filter in the operator profile but I don't know if that can help, or how I would go about writing something for this use-case.

Any help much appreciated.

Guy​​

------------------------------
Guy Goodrick
------------------------------

As you mention, userid and userid@domain are different users so will not show up when showing just your own accounts.

The User Account Filter will probably not help either, as if I check the documentation it only checks attributes to values, not the username against a derived variable. Your suggestion about going in change all sponsor_names may be a good solution.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 26, 2022 04:55 PM
From: Guy Goodrick
Subject: Operator filters for Guest MAC registered device management

Hi,

We use ClearPass Guest for device MAC registration. Our students and staff can manage their own devices, but have the filter in their operator profile set to be "Only show accounts created by the operator". This is what we want. But recently we switched from ADFS to AzureAD for Guest auth and it looks like now when someone registers a device the device shows as registered by (I think this is the 'sponsor_name' field) userid@domain rather than just userid. And when users go to view their devices it seems like they only see the devices that were registered recently (we have had people saying that their devices have 'disappeared', but admins can see them in the devices db). So we're guessing that since the Azure switch the authenticated user (or operator) is also being picked up as userid@domain, rather than just userid, and so the filter that is applied to their view of devices is only showing those devices that they created since the move to Azure.

Or at least we think that is what is happening.

If we're right then I guess one solution would be to script something to use the API to add @domain to the end of the sponsor_names for all the existing devices that were registered by just 'userid'. That's doable but seems a bit inelegant
But I was wondering if there is something smarter we can do in the operator filters, maybe use a regex so that the filter shows devices with sponsor_name of 'userid' and by 'userid@domain'

I see there is a User Account Filter in the operator profile but I don't know if that can help, or how I would go about writing something for this use-case.

Any help much appreciated.

Guy​​

------------------------------
Guy Goodrick
------------------------------

Thanks Herman, we will go ahead with that then
Original Message:
Sent: Jun 07, 2022 09:49 AM
From: Herman Robers
Subject: Operator filters for Guest MAC registered device management

As you mention, userid and userid@domain are different users so will not show up when showing just your own accounts.

The User Account Filter will probably not help either, as if I check the documentation it only checks attributes to values, not the username against a derived variable. Your suggestion about going in change all sponsor_names may be a good solution.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: May 26, 2022 04:55 PM
From: Guy Goodrick
Subject: Operator filters for Guest MAC registered device management

Hi,

We use ClearPass Guest for device MAC registration. Our students and staff can manage their own devices, but have the filter in their operator profile set to be "Only show accounts created by the operator". This is what we want. But recently we switched from ADFS to AzureAD for Guest auth and it looks like now when someone registers a device the device shows as registered by (I think this is the 'sponsor_name' field) userid@domain rather than just userid. And when users go to view their devices it seems like they only see the devices that were registered recently (we have had people saying that their devices have 'disappeared', but admins can see them in the devices db). So we're guessing that since the Azure switch the authenticated user (or operator) is also being picked up as userid@domain, rather than just userid, and so the filter that is applied to their view of devices is only showing those devices that they created since the move to Azure.

Or at least we think that is what is happening.

If we're right then I guess one solution would be to script something to use the API to add @domain to the end of the sponsor_names for all the existing devices that were registered by just 'userid'. That's doable but seems a bit inelegant
But I was wondering if there is something smarter we can do in the operator filters, maybe use a regex so that the filter shows devices with sponsor_name of 'userid' and by 'userid@domain'

I see there is a User Account Filter in the operator profile but I don't know if that can help, or how I would go about writing something for this use-case.

Any help much appreciated.

Guy​​

------------------------------
Guy Goodrick
------------------------------