Security

Hi,

 

I am trying to setup a service to identifiy particular users from AD with certian memberOf group to be able to manage the guest access portal (add/remove accounts. current sessions etc.).  Problem I'm having is that even failed the "FAILED" login status are able to login and manage the portal.

 

I'm sure I have something not configured properly and was wondering if someone could post any suggestions.

Can you post the service policy you have configured? Which Operator role are you setting in Clearpass Guest? Have you adjusted the Operator profile accordingly?

Here is the CFG of the service I am using with enforce policy and role.  If you need more info, I can get it =D

 

 

 

 

 

Two things at first glance;

 

1. You aren't utilising the Role Mapping in your enforcement so it is not needed in this scenario.

2. Try using the FQDN of the AD group membership in your enforcement profile. E.g. CN=group,DC=company,DC=com.

 

What is strange however is that your users are still being allowed access when a reject is being applied?!? Can you post a screenshot of the "Summary" tab for the failed attempt?

 

On the Guest side, you should have a translation under your Operator settings that should match admin_privileges = LobbyAdmin and set the correct profile.

Hi,

 

Here is the screen shots.

 

 

 

 

 

 

Updating the enforcement profile group name with the FQDN of the group should fix the role mapping and enforcement statements

Where do I update the group name?  Sorry I'm still new with clearpass.

Update your Enforcement Policy ENFORCE_AGU - Guest Operator Logins, then update the rule Authorization:SOURCE_AD_AGRIUM:memberOf to EQUALS the FQDN of the group name in AD, e.g. CN=groupname,DC=company,D=com.

 

You can find this if you look under the Input tab on your failed attempt, and check the memberOf section under the RADIUS attributes.

Ok,

 

This has seem to help.  I can now adjust the Profiles within the guest portal \ Administration \ Profiles and change access accordingly.

The problem though is that access tracker says its rejected and applies the default deny policy (yet it still lets me login and manage accounts).

 

WebAuthService Applied Reject profile

I've just tested this in version 6.3.1.62009 and the default [Deny Application Access Profile] does correctly reject the login attempt and prevent access to Clearpass Guest.

 

Which version are you using?

One thing I wanted to point out to people who may read this thread and what I found out. The guest portal "Operator Logins" section is its own enitiy in itself meaning you do not even need a valid service from policy manager to login to the guest portal and manage accounts.  You can pass a enforcement value over to the guest portal to translate to a privilege level (but its not manditory).

 

thanks all for the help.