Security

This question is in regards to acombination of AD, clearpass, and our firewall. I'll give a bit of a setup outline first, followed by the question.

User's are able to connect on their laptops via TLS+PEAP, they don't need to enter in their credentials, their current AD login is automatically used, and certificate for auth.

On thier SmartDevices they are able to connect by entering in their AD username and password, also with cert auth.

In AD we have a role for internet access, that users need to be allowed to gain external internet. When connecting to the IAP/clearpass from a laptop, this role is working, as it is a domain laptop. When connecting on a smart device(entering in AD credentials) the internet access role isn't applying (if exists on the account), and as such are being blocked by the TMG firewall (checks for user membership to the internet access group). smart devices are managed through an MDM(listed as enpoint context server).

Is there a way to have clearpass have the smart devices adopt the same AD roles of the account used to authenticate connection? If no, what alternate appraoch should I be looking towards?

Thank you

TLS will be the one of choice. I just have PEAP on still as I haven't pushed certs out to all my devices yet as I'm still testing. Both ways use AD as an auth source, so I'd expect the solution would be similar to both?

Please share screenshots of your role map and enforcement policy.

Nothing special for enforcement. If they have wireless access on their account, allow them. If a mobile device has a fingerprint created, allow it. (Yes I edited the sample policy, I'll be making a seperate one eventualy)

No role mapping created yet. As laptop users are able to gain external access from their AD roles, I'm hoping to get mobile phones working similarly when entering in their AD credentials to authenticate.

Are you seeing the group listed for the user in access tracker under authorization?

Do you mean under roles? Authorization just shows Active Directory and Endpoints repository. 

I see both roles needed, 'gs ESAI Wireless Access" needed to connect to the IAP (they successfullly connect) and 'InternetAccess' needed to get past the firewall.

Edit* Or if you mean authorization under input (I was looking udner summary), then yes, they both appear there as well.

Could this be a cert issue?

Which cert am I supposed to import into the SmartDevices(or clients in general)? I imported the RADIUS cert from clearpass(signed by our internal CA). I'm samrting to think this is the wrong cert to put into the clients trust.

Earlier Tim asked for a screenshot of the Role Mapping and Enforcement policy being applied; but you only have the Enforcement policy shown; can you do the same for the Roles tab?

Also, how is the TMG firewall determining its rules?   Is it talking directly to AD to determine group memberships?

I mentioned in the post with the screenshot for enforecment that there were no role mappings created, but here's proof:

TMG can apply rules to requests that come from user sets(AD groups). It will talk with AD to view the group, if the user sending the request is in  the group, apply the rule.

I did find one error before exporting the logs. The mobile devices were connecting using PEAP, so I've removed that from our service, and have the phones set to connect using TLS. Now we are recieving"EAP-TLS: fatal alert by server - unsupported_certificate" on Iphones, and "EAP: Client doesn't support configured EAP methods" on androids

I've attached the Access Tracker export for an android connection 

Attachment(s)

DashboardDetails.zip   7 KB 1 version