Security

Hi there,

 

I wonder how does "CoA" works with Guest?

 

I see under "Configuration > Authentication" the option for "Dynamic Authorization" with a NAS Type Option. 

Say I have multiple NAS from different brands. How will this work, given that I can only select one "NAS Type" for all the Guest installation.

Also, say I add a "change_of_authorization" field to a form. What CoA type and NAS will the guest system use? Cisco, Aruba, Generic? Bounce, Terminate, Reauth? I'm puzzled.

 

Thanks

What are you trying to do? Policy Manager handles mostly everything for Dynamic Authorization.

The field in the form simply generates a request that you can write policy against.

I see.

Can you shortly explain how can I "glue" the field to the Policy Manager?

What kind of service should I create, and how does it work?

 

What I'm trying to do is:

- Send a CoA reauth when a user creates or edits a mactrac device

- Send a CoA terminate when the user deletes the mactrac device

 

Thanks

Requests are only generated on a device registration create event. Use the screenshots below for that service.

 

Guest will automatically try to make a CoA-Request when the role is changed in the form. Guest will look for the role name in a Dynamic Authorization Enforcement Profile Name and if found, will attempt to make the request.

 

Hi Tim,

 

Thanks for your patience.

That solution works perfectly.

 

But I still have some doubts:

- Is there no option to also send CoA when I edit the device?

- What is the use of the "change_of_authorization" field? Will it only work for mac_create?

- When I remove the mactrac device I do not see anything on Policy Manager. How does the disconnect works in this case?

- What is the use for Configuration > Authentication > Dynamic Authorization,  and how does it work when I have multiple different NAS types?

 

Thanks

- Is there no option to also send CoA when I edit the device?

>> WEBAUTH requests are only generated during a device create event.

 

- What is the use of the "change_of_authorization" field? Will it only work for mac_create?

>> This is what triggers the WEBAUTH. It's only used with Device Registration.

 

- When I remove the mactrac device I do not see anything on Policy Manager. How does the disconnect works in this case?

>> As mentioned, it's only on create.

 

- What is the use for Configuration > Authentication > Dynamic Authorization,  and how does it work when I have multiple different NAS types?

>> It's not used.

Any change of explaining this better?

 

Guest will automatically try to make a CoA-Request when the role is changed in the form. Guest will look for the role name in a Dynamic Authorization Enforcement Profile Name and if found, will attempt to make the request.

 

Edit: https://www.arubanetworks.com/techdocs/ClearPass/6.6/Guest/Content/GuestManagement/ManagingGuestAccounts_changeRole.htm