Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

cppm sponsor guest logon

This thread has been viewed 4 times

  • 1.  cppm sponsor guest logon

    MVP
    Posted Mar 04, 2013 11:00 AM

    What I'm trying to accomplish:


    Self-registration page with sponsor verification before activating the guestaccount.

    Since it can be hard for the guest to remember the exact spelling of the sponsors name/email address I thought I'd simply add a drop-down list where the guest simply selects the department he wants to visit.

    In this drop-down list the department name is linked to the departments email address which is a distribution list so that the entire department receives the request and could OK the sponsor request by loging in with their AD credentials.


    a) First, I would have expected that the policy manager default service [Policy Manager Admin Network Login Service] would be able to handle these sponsor logons with its "Connection - NAD-IP-Address - EQUALS - 127.0.0.1" service rule. It isn't.

     

    So I created an application service which checks for an AD group and returns an application accept enforcement profile.
    Access tracker shows this as an accept, but the sponsor is still unable to logon. The sponsor himself sees a "user or password error" being returned.

     

    I cur down on the process by entering a fixed sponsor email address into the respective form but this does not help me get any further.

     

    Anybody got a clue why my sponsors are being denied even though access tracker sees the application accept?



  • 2.  RE: cppm sponsor guest logon

    EMPLOYEE
    Posted Mar 05, 2013 11:41 PM

    You will either have to open a case or reveal personal information to get to the bottom of this....



  • 3.  RE: cppm sponsor guest logon

    MVP
    Posted Mar 06, 2013 09:08 AM

    Got TAC involved.

     

    Apparently returning an application accept with or without the "Privilege-Level" = sponsor attribute set isn't enough.

    TAC 's sollution was to create an operator  and translation rule 'sponsor' and then returning the application accept with "admin_privileges" = sponsor.

     

    Although this works, I'm not yet convinced this is the way to go as I cannot find any setting in those profiles to just allow sponsoring. TAC just gave full access to a bunch of stuf in here.

     

    So, anybody that can tell me what I should return to allow external AD users to sponsor guest requests?  Or must I use an ldap operator server from the guest section to do this? Seems silly as I have cppm running to handle ALL other authentications.



  • 4.  RE: cppm sponsor guest logon

    MVP
    Posted Aug 20, 2013 03:05 AM

    Anyone know the correct procedure to allow sponsors only from a specific grouip in AD?



  • 5.  RE: cppm sponsor guest logon

    Posted Aug 20, 2013 04:55 PM

    I am not 100% sure how you would do it in AD....

    But using an LDAP group we just check for membership of the group. If the user is in the group then we use an Enforcement Profile that sets the 'admin_privileges' = 'to some value'.

     

    I just used the predefined service 'Guest Operator Logins' as a guideline to setup a new service.

     

    Then on the 'Translation Rules' we look for the value of the 'admin_privileges' and assign an operator profile appropriate to the value.

     

    We use two different groups, one for general administration - the sponsor can only see the accounts he/she has created.

    And then a super admininistrator - this user can see all guest accounts created by any sponsor.

     

    This is handled by two different operator profiles.