Security

Hi all,

 

I use CPPM and Amigopod.  I don't look after AD, but I see it as a very useful source information someone else adminsters.  I dont want to assign operators profiles directly from AD, but through CPPMs link to AD via the RADIUS service.   (so I can override AD group membership if I need to)

 

I got Amigopod authenticating operators using CPPM as a RADIUS server.  Works fine except I send a VSA back to amigopod based on AD group membership and I was hoping to assign the user into the appropriate profile based on this VSA I send in my enforcement profile.  It keeps using the default profile. :(

 

array (
  'enabled' => true,
  'privileges' =>
  array (
    0 => 'admin',
    1 => 'guestmanager',
    2 => 'hotspot-manager',
    3 => 'cip_index',
    4 => 'mdps_index',
    5 => 'auth_index',
    6 => 'radius-services',
    7 => 'reporting-manager',
    8 => 'sms-admin',
    9 => 'smtp',
    10 => '#support_index',
  ),
  'userskin' => '',
  'start_page' => 'admin_index.php',
  'lang' => '',
  'timezone_id' => '',
  'password_action_time' => 0,
  'override_ui' => false,
  'userskin_name' => '(Default)',
  'profile_name' => 'IT Administrators',
  'profile_comment' => 'Default administrative profile.',
  'username' => "\reception",
  'aruba-user-role' => 'Reception and Front Desk',
  'session-timeout' => 10800,
  'class' => "#\302\346\303?dN7\217~\343+\345B^\321\302\v\000\000\000\000\000\000R00000383-01-4fa8f02c\000\000\000\000\000\000\000\000\000\000\000",
  'profile' => '1',
)

 

array (
  'enabled' => true,
  'privileges' =>
  array (
    0 => 'admin',
    1 => 'guestmanager',
    2 => 'hotspot-manager',
    3 => 'cip_index',
    4 => 'mdps_index',
    5 => 'auth_index',
    6 => 'radius-services',
    7 => 'reporting-manager',
    8 => 'sms-admin',
    9 => 'smtp',
    10 => '#support_index',
  ),
  'userskin' => '',
  'start_page' => 'admin_index.php',
  'lang' => '',
  'timezone_id' => '',
  'password_action_time' => 0,
  'override_ui' => false,
  'userskin_name' => '(Default)',
  'profile_name' => 'IT Administrators',
  'profile_comment' => 'Default administrative profile.',
  'username' => 'admin',
  'aruba-user-role' => 'IT Administrators',
  'session-timeout' => 10800,
  'class' => "#\302\346\303?dN7\217~\343+\345B^\321\302\v\000\000\000\000\000\000R00000384-01-4fa8f053\000\000\000\000\000\000\000\000\000\000\000",
  'profile' => '1',
)
 

 

I see LDAP translation rules - to achieve exactly what I am after, but I dont really want to bypass CPPM. I want CPPM to be the cornerstone to all authentication in this implemenetation - to be effectively a single point of administration.

 

Anyone had any luck? :smileyfrustrated:  I expect I have done something stupid!

What Amigopod version are you on?  3.7 should have re-labeled LDAP Translation Rules to simply Translation Rules, as they do run for RADIUS operators as well. 

 

A single rule with:

Attribute-Name: aruba-user-role

Matching Rule: always match

Value: (blank)

On Match: assign attributes value to operator field

Operator Field: profile

 

Now, this may not work due to profile actually wanting to be the ID, not the profile name.  If that is the case, and you cannot edit the source to return the ID, you will need to use a custom script like

 

{strip}

{if $user['aruba-user-role'] == 'IT Administrators'}
1
{if $user['aruba-user-role'] == 'Other'}
X
{else}
0
{/if}

{/strip}

 

You would need to fill in the reset of the names and IDs appropriately.

 

Ahhh... Just tested this on my personal amigopod, and I see what you mean. Looks like I got confused with the icon and kind of old legacy branding of this feature. Out of curiosity where would the custom script go if I needed to put it in? Else don't worry and I will do some due dilligence tomorrow when I get in front of the production box ... And thank you

Quality answer.  Works well, perfect in fact! :)