o.k. Seem to have things working but still got couple of questions. Here's what I've done
Requirement:- URL mydevicesxb.york.ac.uk will direct user to a ClearPass Guest login page and then onto a restricted ClearPass Guest “create device” page that only allows them to register a Mac address and assign a name to it. Logging off directs them back to the mydevicesxb.york.ac.uk login page
ClearPass Policy Manager
I've a service called UoY Guest Operator login service
Authenticates against AD, no roles created
Enforcement policy basically says
If ((Tips:role = [User Authenticated]) and (AD Authentication) and (Authentication:Full-Username=<myuserid>))
Use enforcement profile UoY Operator Login - Super Administrator
Else if ((Tips:role = [User Authenticated] )and (AD Authentication))
Use enforcement profile UoY Game Console Registration
Else
Deny Application Access
Enforcement Profile
UoY Game Console Registration defines an attribute admin_privileges and sets it to “UoY Device Registration”
Enforcement Profile
UoY Operator Login - Super Administrator sets this attribute to “Super Administrator”
Under Policy Manager /Administration/Clearpass Portal/Guest I’ve specified the Guest Portal landing page to be landing_redirect.php
ClearPass Guest
In Administration/Operator Login/Translation Rules I’ve defined an entry
- name=UoY Device Registration,
- Expression admin_privileges = UoY Device Registration
- Action Assign operator profile = UoY Device Registration
The operator profile has a custom guest manager setup with full access to Create New Device and no access to anything else.
Create Device
In Clearpass Guest/Configuration/Forms/Pages/Forms I’ve duplicated mac_create to mac_create_2 and tailored/reordered the create device field as appropriate
Basically the user can only enter a device name and a Mac address.
Similarly, create create_device_receipt_2 to tailor what gets displayed after device created.
In operator profile UoY Device Registration I’ve enabled Custom Forms and Views and assigned “Create New Device” to mac_create_2
Similarly I’ve assigned a different receipt create_device_receipt_2 - Game Console Registration Receipt
Processing inbound URLs
Now I need to configure the landing_redirect.php file defined at the beginning. I go to Clearpass Guest/Configuration/Pages/Web Logins/landing_redirect
Default destination set to .
https://clearpass8.york.ac.uk/tips/welcome.action
and the login header html has
{if $smarty.server.SSL_TLS_SNI == 'mydevicesxb.york.ac.uk'}
<meta http-equiv="refresh" content="0;url=https://mydevicesxb.york.ac.uk/guest/mac_create.php">
{else} <meta http-equiv="refresh" content="0;url=http://clearpass8.york.ac.uk/tips/welcome.action">
{/if}
This seems to work. Pointing a web browser at https://mydevicesxb.york.ac.uk/ get you to a login prompting then to a Game Console registration page with only a Create Device option
I get a receipt generated and can create new devices. If I log out I get to a login page for https://mydevicesxb.york.ac.uk
Questions
1). At the moment theres an "Aruba Guest" banner at the top of every page. How can I get rid/replace this with something more local to the uni?
2). The create device page is the standard Aruba format wtih 2 columns, the LHS one having a start here link followed by a create device link. How can I remove the start here link?
3). Is this overly complicated or the right way to do it?
Rgds
Alex