Security

When a user self registers, they can put in any old address, provided it contains an @ and dot.

 

Is there a way to make ClearPass check that the email address entered is actually valid before giving access?  And if it is not valid, redirect them back to the self-provision page.

 

Thanks

You can customize the form to validate the email entry looking for certain values.  I would say that your best option is to have the password emailed to them (or SMS texted).  Don't give them a receipt page.  Give them a page with a link to the login page instead.

 

A third option is to use sponsored based registration

ok, that's a reasonable option.

 

Can clearpass be set to do a quick DNS lookup on the user's email domain, to see if it is valid?

 

What about allowing the user access say 5 mins, so they can log onto their email and retrieve the password.  After the 5 mins is up, they are redirected again to the login page.

In your enforcement policy, you can return an temporary role with access to mail and also add a Post_Authentication action with a session timeout to disconnect the user:

 

 

 

 

Sorry, but I'm fairly novice at Clearpass, apart from basic setups.

 

What do I need to set in the Policy? Does the above mean that the user has to log back in every 5 mins?

Michael,

 

Did you get this figured out? I'm working on the same thing right now?

 

Thanks!

 

-Mike

Hi boston1630,

 

Yes we did manage to get this working in the end.  It was proven with Aruba APs.  The solution is rather convoluted though works nicely.  Give me some time to go over it again and post back with the solution.

 

Thanks

Hi Michael,

 

Convoluted with Clearpass?!? Get out of here! 

 

I would definitely appreciate it - thanks!

 

-Mike

I'm tired of seeing a@a.com or 1@123.c, I wish there was a way so that the user had to validate that they are who they say they are.

Why not just hide the password from the receipt page and replace it with
text that says "the password has been e-mailed to you". Then give them a
link to the login page. This way they have to use a real email address (or
cell # for SMS)

Yes cappalli, SMS receipt with password is ideal, but in my situation this was for a stadium with poor cellular coverage and on match day it becomes saturated and unusable.  Essentially, the user would get that SMS half hour after the game as they were walking down the road.

 

The idea sounds really easy, but is really complicated when you consider the varying states that the user could be in on both Clearpass and the controller.  Throw in mac-caching and it becomes more so.

 

And yes elmodoeswifi my customer wanted to avoid people signing up with similar emails after having had a few beers, and essentially only be able to hand the marketing team a list of proper and valid emails.

 

I need to polish up the solution and test again.  I will post the solution as an entry in the May contest.  Stay tuned.

 

:smileyhappy:

For email receipt, you could allow common exchange, pop and imap ports in
your registration role so the guest can get the receipt.

I noticed that your solution did not make the May contest....I am very interested in what you accomplished with this.  Would you mind if I could off-list get a copy of your solution?

 

Thanks

 

MH

 

mihulko@uwo.ca

Hi,

 

Unfortunately when I tested again it seemed to be broken.  I can't seem to figure out where or why that is.  I upgraded to 6.3, so maybe that has something to do with it.

 

Apologies, but when I am sure the solution is fine, I will post for you.

 

 

I appreciate the quick response.  Maybe sharing what you have now, we could try and solve the problem you are facing.?

 

MH  :)

All,

 

This worked for me in Clearpass 6.3 to get the functionality that you're looking for. 

 

1. Go to Clearpass Guest > Configuration > Guest Self-Registration

2. Click edit <Your Guest Self Reg>

3. Click Receipt Page > Override Receipt > Select “Do not include guest receipt contents”

 

This will remove username and password from the receipt page. The user will then have to click the "Sign In" button and use the credentails that were emailed to them.

 

I've used this on a couple of Aruba and Cisco accounts and it works well.

 

-Mike

Awesome... I will give it a try.  Are you allowing e-mail access as a default or are you also transitioning the user into a temporary role to allow access to e-mail?

 

MH

Hi MH,

 

They're still in the same captive portal role until they enter the credentials from the email. The credentials move them into a role tha has limited access to LAN and Internet-only access.

 

-Mike

Going out on a limb with this assumption, the "pre-authentication" role has e-mail access enabled by default to retrieve the password? or as recommended in an earlier post, that the user is transitioned into another temporary role that allows e-mail access for time (t) and then redirected to the login page.

 

 

Sorry to be a pain, but I am still a little new to clearpass and want to make sure I understand

 

MH

Hi MH,

 

What wireless vendor are you using? If Aruba, here's a user-role that has a captive portal profile:

 

user-role Customer-Guest-CP-Login
   captive-portal "Customer-CP-Guest"
   access-list session ra-guard
   access-list session ACC-Allow-Clearpass
   access-list session logon-control
   access-list session captiveportal
   access-list session v6-logon-control
   access-list session captiveportal6
!

 

There needs to be a session ACL that allows HTTP and HTTPS traffic to the Clearpass servers for the Clearpass Guest redirects.

 

-Mike

 

 

We are an Aruba shop...

 

So far I am with you on the profiles and acls, but in order to force the user to submit and retrieve "valid" credentials, e-mail access needs to be allowed which I am assuming is before they actually get to login.  The only non-default access-list session I see from what you provided is the "ACC-Allow-Clearpass" policy which is I am interpreting to allow http | https access to Clearpass servers. 

 

The question is, by default, the captive portal only allows DNS, DHCP, HTTP | HTTPS , so where are you adding the e-mail services?  A separate acl or added to the other default acls?  Or is this something defined in Clearpass that I am missing?

 

If you want to take this off-line, I am willing to go into a deeper discussion.

 

Thanks

 

MH

So this is always a challenge. 

 

It comes down to personal preference but most of my customers today recognize that most users as of today have a smart device where they can get either a text (even my 85 year old grand parents now use text messages :)) or email or both. What my customers are doing is asking for both email and phone number to text and email the username and password to so you don’t have to open access to email.

 

 

 

The other option is to do what the others were suggesting and either allow access for 10 min for them to get email or when they hit submit and give them a restricted access to get email, but the challenge you have now a days is that people get email so many different ways that you will have to allow access to IMAP, POP3, etc.... so then you will end up having a long list to allow. You also have the few that only use webmail so then you would also have to add access to the web!!!

 

Again its personal preference but today with technology IMHO I would use option 1. It’s a lot easier to deploy and maintain. :) Of course you will always have those few that big fat brick phone that wont support anything but sending a signal into space, but today they are far and few. 

Definately agree with the password in the SMS, however in my case it was a stadium where the cellular service got saturated on match day and was unusable.

 

We had to go with the second option.  It was based on the sponsored registration, but instead of an email going to the sponsor, it would go to the guest.  Essentially the guest would approve their own registration, which they had to do within 10 mins.

 

Sounds easy, but consider the different states that a user can be in.

 

• first time a device connects.
• registered, not validated email.
• registered, not validated email, but does a mac auth within the 10 mins.
• registered, not validated email and 10 mins is up.
• registered, validated email within the 10 mins.
• registered, validated email and after 10 mins does a mac auth.

Might be one or two more, but you get the idea.......it can be tricky with all things considered.

 

 

I'd be really keen to see how people have done this.

 

I'm trying something similar now. Customer wants to grant access for 24 hours (to enable you to get the email) but then wants the next login to give you access for 30 days. The idea being that we only send their credentials by email. The guest receipt doesn't show you your password or allow you to download it.

 

But, I don't think it would be possible to extend the expiry time when they next login. Any ideas?

 

If not, how do we do the user role method stated earlier?

I appreciate all the comments to date....I agree that some implementations are much easier to do than others, but at the end of the day for us at least, it boils down to accountability.  Here (UWO) at least, our security team mandates that there is an identity associated with a session, whether that's wireless or wired for tracking everything from malware / botnets to copyright complaints.

 

Is there any mechanism for ClearPass to react to a bounceback message from a mail server?  By using this mechanism, e-mail validation would be automatic as the user could not use just any e-mail format (eg.  mickey@mouse.com) and ClearPass could notfiy the user that they are violating the registration process.

 

just a thought.

ClearPass does not receive bounceback messages, so it cannot process them.  

 

Quite frankly, an email or a phone number is not anything that you can tie to a specific person.  If you want everyone to be authenticated, have them stop by a desk, show ID and get an account.  There are others who provide account information at Kiosks so that they know that users are physically in thye building.  Beyond checking people's ID, nothing legally ties a user to an email or phone number.

 

For the bounceback message - ack'd

 

I agree with you that there is nothing that "legally" ties a user to an e-mail or phone number.  The balance between minimal administration (which is what most of the depts on campus want) and accountability by security is the goal.  E-mail validation as a minimum, in some form, is at least something and better than nothing. 

 

As we have already communicated with our security people, 98% of the people will provide legitimate credentials, and is it worth trying to create a process to catch the 2% that try and circumvent the process. 

 

This has all been very good feedback.  I appreciate everyone's comments and suggestions. 

 

MH

I have the tested and have a working solution now.  davey, I really like that idea as well.  That is a slight extension on this and I think I've covered your scenario.

 

The solution is mostly the hard work of my Clearpass SE, though I have made a number of ammendments to get it working right, tested and done a lot of updates on the document.

 

I would like my SE to review before I submit here.  Please bear with me.....it will be here very soon.

 

:smileyhappy:

Look forward to seeing it.

 

Addendum:

 

I have a configuration completed whereby the user registers and is informed that the password is e-mailed to them.  However, I am stuck on the temporary access piece to retrieve e-mail

Michael..

 

anything further to this?  I would be interested in seeing what you have so far regardless of your SE's input.  I can communicate off-line if you wish.

Hi,

 

Sorry for the delay, but as luck would have it the August-MHC was on Clearpass so I decided to wait until now to submit.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-Guest-Self-registration-amp-self-sponsorship-email/td-p/191001

 

Feedback and kudos appreciated.

 

Enjoy

 

I have successfully created and tested a Guest wireless environment utilizing most of the recommendations posted (hide and e-mail password, transition users between roles etc.) for conferencing services etc.

 

Additonally, I have also modified the Receipt page to dynamically insert the SSID of the conference / event if running multiple at the same time as the Guest Manager is a static entry.

 

I am still attempting to adjust the account lifetime / expiration time as suggested in another post, but would like to see if others have been successful in getting this to work.

 

I will post the contents of my configuration in the next day or two.