Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor II

Yet another Clearpass question

So I am trying to get a little more granular with my Roles so that it is easier for our help desk gang to troubleshoot wireless issues with students and staff/faculty. So as an example I have set up two roles:

 

CFCC-IT-Staff-DT = IT staff members at our down town campus on a school owned device

CFCC-IT-Staff-POD-DT = IT staff members at our down town campus on a personally owned device

IT Staff POD.PNG

So now the issue is that for some reason everyone (IT wise) is getting the POD role even when they are on a school owned device (i.e.. Tips:Role; Domain Computers). I have been through the roles and enforcement policies until I am about bats#$t crazy and it all looks correct to me. So my question is this, could this be an issue due to the Rules Evaluation Algorithm being set to Select First Match as opposed to Select All Matches?

 

As always, any help or advice is greatly appreciated :-)

Scott McNeil - Sr. Network & Security Engineer, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
11 REPLIES
Guru Elite

Re: Yet another Clearpass question

Role mapping should always be configured for match any in an identity role map. When you look at the access tracker request, does it have all of the expected TIPS roles?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Yet another Clearpass question

When we initially set up ClearPass, we had the assistance of a ClearPass Engineer. Here is what we check for Windows computers in the University.liberty.edu domain.

 

<RuleAttribute displayValue="University.liberty.edu" value="University.liberty.edu" operator="CONTAINS" name="servicePrincipalName" type="Authorization:SENSENET Domain"/>


Bruce Osborne - Wireless Engineer
ACCP, ACMP
Frequent Contributor II

Re: Yet another Clearpass question

That's the weird thing Cappy, Domain Computer does not show up in Access Tracker even though it should, the pic example doesn't show it even though it should be. AND other roles that I use Domain Computers for it show up in Access Tracker just fine...

access tracker.PNG

(this is for my laptop which is a school owned device and thus should be showing properly)

 

access tracker II.PNG

(this is an example of one of my machine auth devices which uses the Domain Computers role and it shows up/works just fine)

 

I don't get it....

 

 

 

Scott McNeil - Sr. Network & Security Engineer, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite

Re: Yet another Clearpass question

You would want to use the [Machine Authenticated] token instead of your
Domain Computer TIPS roles. The [Machine Authenticated] token has an
independent, configurable cache timeout.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Yet another Clearpass question


cappalli wrote:
You would want to use the [Machine Authenticated] token instead of your
Domain Computer TIPS roles. The [Machine Authenticated] token has an
independent, configurable cache timeout.

A little confused on this one Tim, why would I want to use the Machine Auth toke on a non machine auth device?

Scott McNeil - Sr. Network & Security Engineer, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor I

Re: Yet another Clearpass question

Our domain computer role only applies wneh nobody is logged in sionce Windows does not do both user + computer authentication at the same time.


Bruce Osborne - Wireless Engineer
ACCP, ACMP
Guru Elite

Re: Yet another Clearpass question

No, this would be for your Domain joined machines which is the first rule
you're trying to hit correct?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II

Re: Yet another Clearpass question

All of our school owned laptops (as an example) are joined to AD, only the the ones that are used in our wireless computer labs are set up for machine auth (i.e. sitting on a separate VLAN waiting for either staff or student to log in and then getting what ever role depending on their AD log in) So I don't have any problem with the machine auth machines, but with other AD joined devices.

 

Make sense?

Scott McNeil - Sr. Network & Security Engineer, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite

Re: Yet another Clearpass question

You would need to use machine authentication to make this work.



Can you post (or DM) a screenshot of your role map?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: