Security

So I have a need to use 2 different "Guest Roles" role mappings.

 

I changed the default [guest roles] one to "My Roles1" through the /guest plugin manager. This works fine.

Now however I need another role mapping "My Roles2" which I should be able to use in as the role-id in self-registration portals and other captive portals.

 

I suppose I need to create my own version of the role-id field for this? What is a bit beyond me is how I can tie my own "My Roles2" role mapping into this. I'm guessing I can't simply use the same options generator in that field?

 

Has anyone done this before or am I going the wrong way about this?

 

What are you trying to do?  You can only have one role map per service.  Keep in mind that an authentication can derive to multiple roles.  You should select evaluate all for that to occur.  In that instance, you can then say in the enforcement profile if MyRole1 AND MyRole2 exist, then the intended action.

I'm simply trying to have 2 different self-registration portals that use 2 different role mappings.

 

For example

Self-reg portal 1: captain - lieutenant - cannon fodder

Self-reg portal 2: employee - contractor - guest 

 

Problem is I don't want to show the roles from portal 1 to users from portal 2 and vice versa.

I would need to be able to clearly identify/differentiate users from both portals in the same guest user database.

 

I am talking about the role mapping used when creating users though, not just the role mapping after authenticating.

See if this thread helps you out :

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Create-new-account-roles-on-ClearPass-Guest/m-p/84170/highlight/true#M864

Yes...that should help you out (link above).  But...you will need to create two self-reg pages with two services, CP profiles on the controller, two URLs, etc...

 

In each self-reg page, you will edit the form where the user selects the role and create the list there.  In terms of creating those roles, the thread above will help you

that is creating more roles within the same role mapping.

I would prefer to be able to use 2 completely different role mappings if possible.

My problem is I have no idea how to point ! selfreg portal to use role mapping 1 where selfreg portal 2 uses role mapping 2.

 

I can only configure 1 role mapping that will be used by both selfreg portals though /guest > Administration » Plugin Manager > ClearPass Guest Services. So how do I get the role id in selfreg portal 2 to use a different role mapping?

 

I'm guessing I need to create a secone role id field but here I'm stuck as the default role id doesn't actualty reference a role mapping anywhere.

Once you create the self registration page and you create the role  it should pick it up automatically from the list of available user roles that you defined under the role mapping and enforcement :

 

Guest1

Guest2

Employee

Contractor

 

 

It does that for 1 role mapping yes from what you configured in  /guest > Administration » Plugin Manager > ClearPass Guest.

I need it to use another role mapping.

 

OIr did I misunderstand you?

 

That's correct.

 

Its kind of what you do with the controller, you configure and then you decide what role will use based on what you define in the enforcement

And that part I get but is not what I want to achieve..

! selfreg portal needs to have another set of roles that the user can subscribe to than the other.

Per default [Guest Roles] is the rolemapping used for this. 

This mapping goes as follows:

(GuestUser:[Role ID] EQUALS 1) [Contractor]
(GuestUser:[Role ID] EQUALS 2) [Guest]
(GuestUser:[Role ID] EQUALS 3) [Employee]

 

So selfreg users can 'choose' one of those 3 roles. The Role ID field will look at  /guest > Administration » Plugin Manager > ClearPass Guest. to know it needs to map the values in the Role ID field with those names.

 

 

My idea was to use that role mapping for one service and the mapping below for a different service and keep them completely seperated. 

 

[My Roles] is mapped as follows:

(GuestUser:[Role ID] EQUALS 1) captain 
(GuestUser:[Role ID] EQUALS 2) lieutenant 
(GuestUser:[Role ID] EQUALS 3) cannon fodder 

 

The problem is that the Role ID field always looks at what is configured in  /guest > Administration » Plugin Manager > ClearPass Guest and I was hoping there was a way to copy the Role ID field and have it points to My Roles rolemapping.

 

 

I guess I won't be able to do that and will have to use a single rolemapping which has all 6 roles and then limit the values that can be selected from this rolemapping per service used with the validator arguments or something.

 

(GuestUser:[Role ID] EQUALS 1) [Contractor]

(GuestUser:[Role ID] EQUALS 2) [Guest]
(GuestUser:[Role ID] EQUALS 3) [Employee]

 

(GuestUser:[Role ID] EQUALS 4) captain 

(GuestUser:[Role ID] EQUALS 5) lieutenant 
(GuestUser:[Role ID] EQUALS 6) cannon fodder 

 

I think I know what you are looking for. :)

 

You need to put the role name in the Guest Role so it will show up as a selectable role in CPGuest.

 

 

I'm affraid not troy, that is again how you add a role to a single role mapping.

I was looking to use 2 different role mappings altogether depending on what service was hit.

 

I'm by now guessing that is simply not possible and will have to use 1 rolemapping and limit the type of accounts that can be created in the creat_user forms as follows:  (see attachements)

 

 

Correct,

 

If you want different roles to be populated on different pages then it is done in the customization of the portal page not in the service. The service and role mappings are just trigers on information that is being sent to CPPM. 

To add colour to Troy's response
CPPM's RoleMappings [Guest Roles] by default contains Contractor, Guest and Employee these are effectively reference (index) 1, 2 and 3 respectively.
You can add your own specific roles to this, eg Wonky and Donkey. These will be referenced as 4 and 5 respectively .
To make your portal return a particular role, say Donkey, then you need to edit this portal's Forms&Views select "edit fields" select "role_id", edit the "Initial Value" = 5 and "Validator" = IsEqual and "Validator Argument" = 5.
Now when the guest logs in against this portal s/he will be assigned the Role_ID = 5
This is reflected in the Endpoint's Guest Role ID attribute.
You would then have to correct the Service's Roles-->Role Mapping to pass an appropriate "tips role" to the Enforcement Policy.

Regards Derin

Hey all,

 

To utilize multiple role id's on 1 form page, how would you go about that? In the example you give, you have Role ID 4 and 5. I already have a default set for 1 of the role's the different guest users will have (role ID: 2). 

 

I have a radio button field that asks what type of visitor they are (guest/employee). Is there a way I can reference that choice in the Role ID logic to send back either ID: 2 or ID: 3?

 

 

Thanks.

I don't think that would be possible today. Usually you use different operator profiles to dictate which roles are available based on who the user is. 


Thanks, 
Tim