Security

Hello AirHeads,

 

I have a problem creating a device within CP Guest.  When I create the device, instead of using the MAC address as the username, the system is generating a random username.  So when it is created, the device cannot be found and of course I cannot list it or see it.  However, the 'device' shows up in the 'List Accounts' section, along with the random username.

 

I changed the Guest Manager settings to use a random letters-only username and tried again and yes, the device has a username that follows the settings for guest users.

 

I want to add an Apple TV so I am selecting the check box to use AirGroup (in fact, it doesn't matter if I select this or not - the device is always created with a random username).

 

Looking at the application log, I can see that the device has been created with various attributes for AIrGroup and there are errors saying that the device cannot be found, that the CPPM was unable to 'communicate' with the controller to add/disable the device (when I delete it) because the MAC isn't found - which is logical as the device isn't created with the MAC as the username.

 

I was runing CPPM 6.2.5 and using an AirGroup admin account to create the device.  I upgraded to 6.3 but the problem still exists.

 

Any pointers would be greatly appreciated.

A couple of extra details:

 

Within the Application log I see an INFO entry stating that "Created AirGroup device account: 25079230" (the device I added via Create Device).

Then there is a warning: "Cannot notify controller for AirGroup operation 'create' on device: 25079230'

Then a third entry stating that the user account has successfully been created, along with the password and account expiry details.

 

I have checked the communication between the controller by going to the AirGroup Service and reading the configuration which is OK.

On the controller, sometimes once the device hs been created I can see an AirGroup server that corresponds to the MAC I entered when creating the device on the CPPM.  This is hard to reproduce consitently as the device dosn't always show up in this view on the controller.

 

I have configured a couple of captive portals, onboard and onguard on this CPPM, and I am wondering if I have changed somehing or used something earlier in my configuration that has now 'broken' the create device...I really have no clue (no change there then! ;) )

Cheers,

Mike.

Sounds to me like you're using the wrong form for creating devices.

 

On a more or less factory standard CP 6.3 I created a Local User, gave him [Device Registration] role, and logged in.

This is a screenshot of the form I see - which is called "mac_create" in Configuration -> Forms & Views

 

 

I create the device and get this picture:

 

This is basically what you should be seeing. I'm reading through the ClearPass Guest 6.3 documentation, and while it says that these Airgroup profiles should already be installed - they are not for me so I can't verify 100% how it will look at your end.

 

Basically - the assigned CPPM role to your user is mapped to a role in CP-Guest. Verify through Access Tracker which role you are assigned, and then go to CP Guest and check the Operator Translation Rules to see what that access that gives your user there.

 

Then edit the Guest Operator Profile to show only the forms you want it to show - and summarice it kind of like this is:

 

 

 

Hi John,

 

Thanks for the reply.

 

I had a look already because I was wondering about the translation rules and if I had changed anything.

 

I had started this config back when I have 6.2.2 installed on the appliance.  I upgraded a couple of times since to 6.3.  In 6.2.5 I had created two local users - one for AirGroup Admin and another for AirGroup Operator.

 

With 6.3 we no longer need to have these (I have a copy of an eval version of 6.3 configured by a colleague) and on this eval platform I was able to create device just like yu showed in yur post.

 

In any case, I changed the AirGroup operator login from 'operator' to 'Device Registration' and looked in Access Tracker and I have been given the Device Registration 'role', however, I still have the error.

 

In fatc I see the exact same thing as you right up until I get the receipt and it is then that I see the username is the random username generated instead of the MAC.

 

I said earlier that I created the device on an eval VM so I exported the accounts from that machine and imported them back into my platform (deleting all of the accounts I wasn't interested in) and that seemed to have worked.  I now have a device that has the MAC as username and password.

 

I then tried to create another device, but same erro and also it seemd to break the view of listing the devices.  After deleting the new device I could then list the single device that had been imported.

 

Thanks for helping.

Mike.

 

 

 

Perhaps opening a TAC case would be faster for you.

 

Perhaps if you add some screenshots of process that could shed some light on it from my point of view. Also I'd like to know what the php page is called in the URL when registering and in the receipt.

Then also do a screenshot of the form used so we see which fields are there.

 

This may not be an issue but one note is that in 6.3 they removed the brackets on guest accounts. [guest] is now guest. In the role mappings. Most of the time when you upgrade it does not remove the bracket so you will need to do it manually.