Security

Hi All,

I am implementing Onboard for an education client and have come across a potential new feature request but wanted to put it out there first in case there is already a way to do this.

We want to use the email reminder feature to notify users their enrolment is going to expire, the issue is that the directory we are querying doesn't always have the email address field populated. In addition to this, the email addresses are the student email addresses issued by the organisation and we'd like to be able to prompt the user for their current email so that we can ensure they are reachable. The emails provided by the institution are not always used by the students.

I looked at the web login settings but it seems there is no simple way to add a field asking for email address. Is there any way this can be acheived?

Scott

Scott,

One issue is that CPPM will not write to the AD or LADP and currently I believe the email lookup is dependent on the AD integration to pull the email address. (Ive asked engineering to confirm)

I've ran into this before at another customer and they had a restriction put in place where the student couldn't onboard (restriction in onboard authorization ) a device unless they had an email address in AD.

Thanks for the quick response Troy.

Even if the attribute isn't written into LDAP it would be great if it could be stored as an endpoint attribute that could be queried when sending the expiry notification emails.

Scott

That is the reason I asked engineering to confirm where we get the email from for the notifications. :) 

If its an endpoint attribute you could force users to a laning page to get the updated email and then allow them to onboard. I hope to have answer in the morning. 

HI Troy,

Did you end up getting a response from engineering?

Scott

Here is a note that I got back:

"There's different settings to determine the email address.  If the authentication is done with something that looks like an email address, that will be used to send the expiration warning, otherwise you have the options below to choose from:

The last option, "Send a message to username@domain", assumes that the user provided just the "username" portion during the device enrollment, and the "domain" bit is supplied by the administrator in the "Unknown Domain" field.

IMO the easiest way to do this is to ensure that device enrollment is done based on email address and password - if that can't be done then the next best option is the username with a fixed domain."

thanks for the follow up, that gives me some more options to work with.

i really appreciate your help as always

Scott

It appears the email alert for certificate expiry is based on the user's email address being present in the certificate.  My user's login into the provision page with their AD credentials.  How would I then get their email address into the certificate that is created by the local clearpass CA?

AD credentials are in a 4, 2, 1 format; i.e. John Smith = smitjo1 for AD and email would be john.smith@domain.com.  Looks like we may have smtp alias setup so smitjo1@domain.com may work.