Security

Hello together,
I just got a little quest, maybe you can help me :-)

I'm about to setup a Clearpass Guest Operator Login Service for device registration with different Operator Profiles depending on AD group membership. Since it's a school and students are used to spy the passwords of the teacher I want to restrict the teacher login to ip networks the students have no access to.

What I'm looking for:

• Is there any way to process the IP address of the client trying to logon to Clearpass Guest Application? In access tracker I can only find the 127.0.0.1 as source of the application login
• In Event Viewer I can see the Client IP Address, but I didn't find any way yet how to use that in role mapping
  

I'd be pleased for your suggestions!

Best regards

------------------------------
Johannes
------------------------------

I see the same, can't see the original IP for an operator login. Quite sure that for a captive portal login that information is available.

Please open a TAC case and have them verified that client IP is indeed not accessible during the Guest Operator authentication.

If you have a multi-node cluster, you may get around this by putting Service ACLs on the Guest service, different per node, and then check on which server the request is processed, but I could not really see that information either, so you may need an enhancement request for this specific feature.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 17, 2021 03:42 AM
From: Johannes Haberstroh
Subject: Clearpass Guest Operator Login check client IP

Hello together,
I just got a little quest, maybe you can help me :-)

I'm about to setup a Clearpass Guest Operator Login Service for device registration with different Operator Profiles depending on AD group membership. Since it's a school and students are used to spy the passwords of the teacher I want to restrict the teacher login to ip networks the students have no access to.

What I'm looking for:

• Is there any way to process the IP address of the client trying to logon to Clearpass Guest Application? In access tracker I can only find the 127.0.0.1 as source of the application login
• In Event Viewer I can see the Client IP Address, but I didn't find any way yet how to use that in role mapping
  

I'd be pleased for your suggestions!

Best regards

------------------------------
Johannes
------------------------------

Original Message:
Sent: 8/24/2021 6:10:00 AM
From: Herman Robers
Subject: RE: Clearpass Guest Operator Login check client IP

I see the same, can't see the original IP for an operator login. Quite sure that for a captive portal login that information is available.

Please open a TAC case and have them verified that client IP is indeed not accessible during the Guest Operator authentication.

If you have a multi-node cluster, you may get around this by putting Service ACLs on the Guest service, different per node, and then check on which server the request is processed, but I could not really see that information either, so you may need an enhancement request for this specific feature.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 17, 2021 03:42 AM
From: Johannes Haberstroh
Subject: Clearpass Guest Operator Login check client IP

Hello together,
I just got a little quest, maybe you can help me :-)

I'm about to setup a Clearpass Guest Operator Login Service for device registration with different Operator Profiles depending on AD group membership. Since it's a school and students are used to spy the passwords of the teacher I want to restrict the teacher login to ip networks the students have no access to.

What I'm looking for:

• Is there any way to process the IP address of the client trying to logon to Clearpass Guest Application? In access tracker I can only find the 127.0.0.1 as source of the application login
• In Event Viewer I can see the Client IP Address, but I didn't find any way yet how to use that in role mapping
  

I'd be pleased for your suggestions!

Best regards

------------------------------
Johannes
------------------------------