Security

Up till now, if I wanted to register a guest device on our clearpass server(s) I'd just go to clearpass.york.ac.uk and click on the clearpass guest link, log in and "do stuff". This is for mac adress registratino for airgroups and games console systems

What we'd rather do however is have a url  https://mydevices.york.ac.uk/ that taks us to the clearpas guest login page and have the fqdn be https://mydevices.york.ac.uk....

Still want to keep getting to the master publisher  via https://clearpass.york.ac.uk 

Is this doable?

A

Create a new web login (landing_redirect)

Check "Provide a custom login form"

Choose "Blank Skin"

Put the following in "Header HTML", customizing where necessary

{if $smarty.server.SSL_TLS_SNI == 'devicereg.yourdomain.edu'}
<meta http-equiv="refresh" content="0;url=https://clearpass-vip.youradomain.edu/guest/mac_create.php">
{elseif $smarty.server.SSL_TLS_SNI == 'guestreg.yourdomain.edu'}
<meta http-equiv="refresh" content="0;url=https://clearpass-vip.yourdomain.edu/guest/create_user.php">
{else}
<meta http-equiv="refresh" content="0;url=http://www.google.com.com">
{/if}

Clear the Footer and Login message boxes

Save the form.

In Policy Manager, go Administration > ClearPass Portal.

Select Option: Guest Portal

Specify Guest Portal: landing_redirect.php

NOTES:

- Be sure to create a CNAME in DNS

- Be sure the new FQDN is a valid match on the HTTPS cert (wildcard or SAN entry)

Many thanks Tim

A

o.k. Seem to have things working but still got couple of questions. Here's what I've done

Requirement:- URL mydevicesxb.york.ac.uk will direct user to a ClearPass Guest login page and then onto a restricted ClearPass Guest “create device” page that only allows them to register a Mac address and assign a name to it. Logging off directs them back to the mydevicesxb.york.ac.uk login page

ClearPass Policy Manager

I've a service called  UoY Guest Operator login service

Authenticates against AD, no roles created

Enforcement policy basically says

If ((Tips:role = [User Authenticated]) and (AD Authentication) and (Authentication:Full-Username=<myuserid>))

     Use enforcement profile UoY Operator Login - Super Administrator

Else if ((Tips:role = [User Authenticated] )and (AD Authentication)) 

      Use enforcement profile UoY Game Console Registration

Else

     Deny Application Access

Enforcement Profile 

UoY Game Console Registration defines an attribute admin_privileges and sets it to “UoY Device Registration”

Enforcement Profile

 UoY Operator Login - Super Administrator sets this attribute to “Super Administrator”

Under Policy Manager /Administration/Clearpass Portal/Guest I’ve specified the Guest Portal landing page to be landing_redirect.php

ClearPass Guest

In   Administration/Operator Login/Translation Rules I’ve defined an entry

• name=UoY Device Registration,
• Expression admin_privileges = UoY Device Registration
• Action Assign operator profile = UoY Device Registration

The operator profile has a  custom guest manager setup with full access to Create New Device and no access to anything else.

Create Device 

In Clearpass Guest/Configuration/Forms/Pages/Forms I’ve duplicated mac_create to mac_create_2 and tailored/reordered the create device field as appropriate

Basically the user can only enter a device name and a Mac address.

Similarly, create create_device_receipt_2 to tailor what gets displayed after device created.

 In operator profile UoY Device Registration  I’ve enabled Custom Forms and Views and assigned “Create New Device” to mac_create_2 

Similarly I’ve assigned a different receipt create_device_receipt_2 - Game Console Registration Receipt

Processing inbound URLs

Now I need to configure the landing_redirect.php file defined at the beginning. I go to Clearpass Guest/Configuration/Pages/Web Logins/landing_redirect

Default destination set to . 

https://clearpass8.york.ac.uk/tips/welcome.action

and the login header html has

{if $smarty.server.SSL_TLS_SNI == 'mydevicesxb.york.ac.uk'}

<meta http-equiv="refresh" content="0;url=https://mydevicesxb.york.ac.uk/guest/mac_create.php">

{else} <meta http-equiv="refresh" content="0;url=http://clearpass8.york.ac.uk/tips/welcome.action">

{/if}

This seems to work. Pointing a web browser at https://mydevicesxb.york.ac.uk/ get  you to a login prompting then to a Game Console registration page with only a Create Device option

I get a receipt generated and can create new devices. If I log out I get to a login page for https://mydevicesxb.york.ac.uk

Questions

1). At the moment theres an "Aruba Guest" banner at the top of every page. How can I get rid/replace this with something more local to the uni?

2). The create device page is the standard Aruba format wtih 2 columns, the LHS one having a start here link followed by a create device link. How can I remove the start here link?

3). Is this overly complicated or the right way to do it?

Rgds

Alex