How to configure managment authetnication for Guest and Insigh Console Jan15-MHC

This tutorial is like the next part of this one created by Aruba


I notice that with this you were able to access the cppm console but thi didnt work to access other consoles like Guest, and Insigh one with Active directory credentials


So lets start


After you done with the tutorial up you will see that the active directory credential doesnt work for the other consoles.  


To make it work you have to do the fallowing


You need to build a Role Mapping which you should have created alredy with the tutorial up but ill repeat that part:



Here the type is Authorization with AD, the name member of(which is the group of Active directory that contains the users that are allowed in this console), in this example i just put domain admins(so any user on domain admin got access to this consoles)

On the Role Name use the [TACACS Super Admin]


On policy tab you can put [Guest]  So that if the login fails he put this random default role and wont let him access



Now you create a enforment profile


Enforment profile.PNG

Now you have to build a new profile in which the atribue name you use admin_priviledges and on atribute you can put anything like GuestAdmin for example.   This attribute value MUST match exactly with what we will configure on the guest console so pay attention to what you put in there.



Now lets build the enforment policy


We create a new one and configure it like this:





Ondefault profile you select something like deny application access so it wont have access if he fail the authentication


Lets go to rules


Enforment policy tacacs.PNG


Put it exactly like this, and on the profile name select the profile you created before(in my case its copy of operators login admin users.




Now with that info lets build the service.


You can copy the [Guest Operator Logins] which is the service that authenticate by default those consoles.

you can copy it and edith it which is what i did.(you can also rename it with whatever name you want.




As you see i highlighted the service you can use to copy and you see up is the copied service i used

Lets go inside the service:


Inside Service.PNG


The first thing you need to do is to add Insight  as you see in this image( you will only see Guest


Lets go to authentication tab



We select Active directory which you should have previusly configured in your Clearpass.


Now lets go to roles tab



Here we select on role mapping the one we created up 


Now lets go to Enforment tab




Now you select the enforment profile we configured before.


And thats it you are done here  you save it!


Now the order!


Service Order.PNG

As you see here i got copy of the [Guest operaor Logins] which is the one i created before [Guest operaor Logins] Which is the default one that comes with the Policy manager.



Now lets go to the Guest console for part 2!


Lets go to translation rules


Translation Rules.PNG



And we create a new rule




on Attribute you put what we had on the cppm admin_privileges equals to GuestAdmin(remenber here it must match! if it doesnt then it wont work... i mean if you put one letter different it wont work) 

This rule is the one we use so the clearpass guest console understand that he must use the AD credentials.

On match, you put Assign Fixed operator profile

Operator profile

IT Administrator so he has all the access.


Save it and you are done!


Now you got all the consoels with AD authentication and not just the policy manager :)





Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: