======Setting Operator Name and CUI in Clearpass======

=====Background=====

Operator-Name (O-N) and Chargeable-User-Identity (CUI) are two attributes that provide a Govroam operators with useful audit information. Operator-Name identifies the sending site (in the form of their realm) and CUI contains the MAC address and username of the user device, encoded.

The approach below is fairly straight-forward: An attribute is attached to the NAS device which contains the value which we wish O-N to be set to. An Enforcement Policy and Profile are created which sets Operator-Name to the value of the Attribute. The Enforcement Policy is attached to the Service which forwards unknown realms (visitor authentication requests) to the NRPS. 

This means that each NAS can have a different realm associated with it. This could be useful if the NASes are different RADIUS servers at different sites. 

====Setting O-N====

  * In **Configuration -> Network -> Devices** choose the device you want to apply an O-N to.
  * Go to the **Attributes** page
  * Add an attribute of **Controller ID** with a value of **1realm.name** where 'realm.name' is your realm name e.g. 'jisc.ac.uk'. The format always starts with a '1'.
{{:siteadmin:clearpass_-_device_-_controller_id.png?direct&800|Device Attributes}}
  * Save and exit.
  
  * In **Configuration -> Enforcement -> Profiles** **Add** a new profile.
  * Create a new Attribute, type **Radius:IETF**, name **Operator-Name** and value **%{Device:Controller Id}**.
{{:siteadmin:clearpass_-_enforcement_profile_-_set_o-n.png?direct&800|Enforcement Profile}}
  * Save and exit

  * In **Configuration -> Enforcement -> Policy** **Add** a new policy
  * **Enforcement Type** is **RADIUS**.
  * **Default** is **Allow Access Profile**.
  * Add a new rule **Device:Controller Id**, **EXISTS**
  * Choose the Enforcement Profile created above.
{{:siteadmin:clearpass_-_enforcement_policy_-_set_o-n.png?direct&800|Enforcement Policy}}
  * Save and exit.


  * In **Configuration -> Services** pick the rule that you want to apply this too - normally the rule which sends default traffic to the NRPS.
  * Under **Enforcement** choose the **Enforcement Policy** created above.
{{:siteadmin:clearpass_-_services_enforcement.png?direct&800|Service Enforcement}}
  * Save and exit.

  * Attempts to authenticate with an unknown realm should use the above Service and create an entry in the Access Tracker which looks like this:
{{:siteadmin:clearpass_-_monitoring_-_o-n_output.png?direct&400|Activity Output}}

====Setting CUI====

TBD