Security

Hi All,

I am trying to setup some ClearPass Operator Restrictions. Does anyone know if it's possible to setup an Operator role to only be able to create guest accounts with a limited expiry date?

Essentially we are looking to stop Operators from giving guests unlimited access for a 'do not expire' account.

Thanks in Advance

Matt

In order to do this, you need to create a new guest account creation form for these Operators.   You can edit the form to include the limited expiration options you want (expire_after field).  You can then change New Guest Account form that the Operators use under the Custom Forms and Views section of the Operator Profile.

I have something like this working.  I have two guest forms called longterm and shortterm.  Any of the company employees can create a shortterm guest ID valid upto a month by logging in with their AD account.  They have no other rights.  Then admin users who are a member of a special AD group can log in and only hit the longterm page for accounts valid up to a year.  Both options have a range of options for how long to make the account.  Shortterm accounts are valid 1,2,3,5 days, 1,2 weeks or 1 month.  Longterm is 2,3,6 months or a year.  My only issue is the admin users can not create short term accounts unless they log in with a non AD account.  In my case they use a lotus notes account and that allows them to creat the short term accounts if needed.  On the operator login page I just have the instructions explaining the difference.