AAA, NAC, Guest Access & BYOD

How to query the ClearPass publisher form subscribers to fetch endpoints Attributes?

Aruba Employee
Requirement:

In a larger cluster, you may face a second(1sec) or more delay in updating endpoint attributes when authentications taking place on subscribers. Consider a scenario where you update the Endpoint Attributes along with radius disconnect(CoA) enforcement in WebAuth or Layer-3 authentication that will help to authorize the client during next immediate 802.1x authentication. An entity update request performed on a subscriber will be proxy to the publisher for writing(database) and replication(back to the subscriber), which would exhibit some delay in a larger cluster and the required attribute may not be available when the 802.1x authentication taking place after the successful radius disconnect.

 

 

 

 



Solution:

The above situation could be handled by one of the following options.

  1. Increase Radius CoA delay under Policy Manager >> Administration >> Server Manager >> Click on the Server Name >> Service Parameters >> Async Network Services >> CoA Delay, which would give more time for the publisher to update and replicate the endpoint attributes.
  2. Query the Publisher database  from subscriber for updated attribute, which would eliminate the replication wait time.

 



Configuration:

This article will help to implement the Option 2 above.

Important Notes:

Derive the Role Mapping/Enforcement Policy rules to query the publisher only when the attributes are not available in the local database. This way, the number of queries to publisher could be optimized.

 

The option 2 can be implemented by adding publisher database as an authentication source(Generic SQL DB) and use it as an authorization source in the service to query endpoint attributes.

Prerequisites:

Server Name: Publisher's MGMT interface Ip address

Port(optional): 5432 (port must already be open as part of cluster implementation)

Database Name:  tipsdb

Login Username: appexternal

Login Password: password of above account "appexternal"

Note: The "appexternal" account password would be the factory default admin/appadmin password. If that doesn't work, you can reset the password of "appexternal" account under Administration >> Server Manager >> Server Configuration >> Cluster-Wide Parameters >> Database.

 

Steps:

Adding publisher DB as an authentication source.

Login to publisher and navigate to Configuration >> Authentication >> Sources >> Click Add and fill the details as shown below.

Set the type to "Generic SQL DB".

Ensure "Use for Authorization" is checked.

Adjust the Cache Timeout as per the need. It can be disabled by setting the value to "0".

 

Move on to the Primary tab and fill in the details as shown below.

 

Enter the following query in the Attributes tab to fetch the endpoint attributes. In this example, I am going to query the attribute "Location"

  • select attributes->>'Location' AS Location from tips_endpoints WHERE mac_address = '%{Connection:Client-Mac-Address-NoDelim}'

 

More than one attributes can be fetched as below.

select attributes->>'Location' AS Location, attributes->>'Domain_User' AS Domain_User from tips_endpoints WHERE mac_address = '%{Connection:Client-Mac-Address-NoDelim}'

 

Map the above authentication source as an authorization source in the service and derive the enforcement policy to fetch the endpoint attribute.

Example:

 

 

Note the condition#1 above, which looks for the attribute locally and then fall back to condition#2 to fetch the attribute from publisher when the attribute not available locally.

 

 

 

 



Verification

Sample endpoint attribute fetched from Publisher based on the above sample configuration.

 

Below output represents the endpoint attribute when it is available in the local DB. The whole point of this article is about, what to do when the attribute as shown below is not available during authentication due to update/replication delay between cluster nodes.

 

 

 

Version history
Revision #:
2 of 2
Last update:
Tuesday
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: