Security

Reply
Frequent Contributor I
Posts: 73
Registered: ‎08-31-2016

AD membership applying to SmartDevice connections on 802.1x

This question is in regards to acombination of AD, clearpass, and our firewall. I'll give a bit of a setup outline first, followed by the question.

 

User's are able to connect on their laptops via TLS+PEAP, they don't need to enter in their credentials, their current AD login is automatically used, and certificate for auth.

 

On thier SmartDevices they are able to connect by entering in their AD username and password, also with cert auth.

 

In AD we have a role for internet access, that users need to be allowed to gain external internet. When connecting to the IAP/clearpass from a laptop, this role is working, as it is a domain laptop. When connecting on a smart device(entering in AD credentials) the internet access role isn't applying (if exists on the account), and as such are being blocked by the TMG firewall (checks for user membership to the internet access group). smart devices are managed through an MDM(listed as enpoint context server).

 

Is there a way to have clearpass have the smart devices adopt the same AD roles of the account used to authenticate connection? If no, what alternate appraoch should I be looking towards?

 

Thank you

 

Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: AD membership applying to SmartDevice connections on 802.1x

Are you using EAP-PEAP or EAP-TLS? You can't be using both.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 73
Registered: ‎08-31-2016

Re: AD membership applying to SmartDevice connections on 802.1x

TLS will be the one of choice. I just have PEAP on still as I haven't pushed certs out to all my devices yet as I'm still testing. Both ways use AD as an auth source, so I'd expect the solution would be similar to both?

Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: AD membership applying to SmartDevice connections on 802.1x

Please share screenshots of your role map and enforcement policy.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 73
Registered: ‎08-31-2016

Re: AD membership applying to SmartDevice connections on 802.1x

[ Edited ]

Nothing special for enforcement. If they have wireless access on their account, allow them. If a mobile device has a fingerprint created, allow it. (Yes I edited the sample policy, I'll be making a seperate one eventualy)

2016-10-28_09h24_57.png

 

No role mapping created yet. As laptop users are able to gain external access from their AD roles, I'm hoping to get mobile phones working similarly when entering in their AD credentials to authenticate.

Guru Elite
Posts: 8,190
Registered: ‎09-08-2010

Re: AD membership applying to SmartDevice connections on 802.1x

Are you seeing the group listed for the user in access tracker under authorization?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 73
Registered: ‎08-31-2016

Re: AD membership applying to SmartDevice connections on 802.1x

[ Edited ]

Do you mean under roles? Authorization just shows Active Directory and Endpoints repository. 

 

I see both roles needed, 'gs ESAI Wireless Access" needed to connect to the IAP (they successfullly connect) and 'InternetAccess' needed to get past the firewall.

 

Edit* Or if you mean authorization under input (I was looking udner summary), then yes, they both appear there as well.

Frequent Contributor I
Posts: 73
Registered: ‎08-31-2016

Re: AD membership applying to SmartDevice connections on 802.1x

Could this be a cert issue?

 

Which cert am I supposed to import into the SmartDevices(or clients in general)? I imported the RADIUS cert from clearpass(signed by our internal CA). I'm samrting to think this is the wrong cert to put into the clients trust.

Aruba
Posts: 1,642
Registered: ‎04-13-2009

Re: AD membership applying to SmartDevice connections on 802.1x

Earlier Tim asked for a screenshot of the Role Mapping and Enforcement policy being applied; but you only have the Enforcement policy shown; can you do the same for the Roles tab?

 

Also, how is the TMG firewall determining its rules?   Is it talking directly to AD to determine group memberships?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 73
Registered: ‎08-31-2016

Re: AD membership applying to SmartDevice connections on 802.1x

I mentioned in the post with the screenshot for enforecment that there were no role mappings created, but here's proof:

2016-10-28_11h26_19.png

 

TMG can apply rules to requests that come from user sets(AD groups). It will talk with AD to view the group, if the user sending the request is in  the group, apply the rule.

Search Airheads
Showing results for 
Search instead for 
Did you mean: