Security

Hello,

 

We have an IoT device mpsk SSID running on AOS8.6.0.5 & ClearPass 6.8.5, devices are registered in Guest by end users using the ClearPass registration interface. The sponsor_name field captures the first part of their username when they register a device, but we need to add @domain to the end of that before proxying RADIUS accounting messages (accounting proxies to our in-house monitoring system which gives federated access to user/AP stats). Is there a way of doing this within ClearPass?

 

Or is there a way of changing the value of the sponsor_name field so that the domain suffix is added when they register their device? (Would doing this have any negative impact on, eg, AirGroup operation)

 

Thank you,

 

Guy

You should always require users to authenticate with a fully qualified username. You can reject operator logins to your device registration portal that do not contain @. The other option is to configure your IdP to return a fully qualified username.

Thanks for getting back to me,

 

I don't think I explained this very well, apologies. The ADFS SSO login for users accessing the device registration page is working fine - and they use their full username (email address) to login. The problem have is that when you register a device 'sponsor_name' gets automatically populated with the first part of the ADFS username, and sponsor_name is what gets returned in the enforcement profile when a device logs into the IoT MPSK SSID. We want the whole username including the domain to be returned in that enforcement profile.

 

We have actually found a workaround that seems to work, which is to add the domain on using the enforcement profile, so that just returns:

 

%{Authorization:[Guest Device Repository]:SponsorName}@<domain>

 

...as the IETF username. That seems to do the job, but might not be what you'd recommend?

 

It does bring me on to a related question (I hope you don't mind) - when someone registers a new device the form has an email address field, but really it would be better if we could just autopopulate the email address field with the username that they logged in with. Is that value available to us? I'm assuming it must be available somehow as sponsor_name gets set as the first part of the username, but I can't see how that happens. Do you have any advice?

 

[UPDATE] I'm just looking at the SAML trace and can see that the 'subject' and 'NameID' are returned here as my username without @domain. Perhaps it is this that ClearPass is picking up and populating the sponsor_name field with? So this is what you meant when you mentioned the IdP could be configured to return a fully qualified username? I could certainly ask the chaps who run the AD if this is possible.

 

I hope that makes sense?

 

Thanks

 

Guy

The sponsor_name field should be auto populated with the full username from the IdP. If that is not happening, I'd recommend opening a TAC case.

It wasn't but I asked the chaps who run the ADFS server to change what they are sending us and now it is populated with the full username, so that's great. I think this gives me what I want, I should be able to work it out from here.

 

Thanks