10-28-2016 05:56 AM
This question is in regards to acombination of AD, clearpass, and our firewall. I'll give a bit of a setup outline first, followed by the question.
User's are able to connect on their laptops via TLS+PEAP, they don't need to enter in their credentials, their current AD login is automatically used, and certificate for auth.
On thier SmartDevices they are able to connect by entering in their AD username and password, also with cert auth.
In AD we have a role for internet access, that users need to be allowed to gain external internet. When connecting to the IAP/clearpass from a laptop, this role is working, as it is a domain laptop. When connecting on a smart device(entering in AD credentials) the internet access role isn't applying (if exists on the account), and as such are being blocked by the TMG firewall (checks for user membership to the internet access group). smart devices are managed through an MDM(listed as enpoint context server).
Is there a way to have clearpass have the smart devices adopt the same AD roles of the account used to authenticate connection? If no, what alternate appraoch should I be looking towards?
10-28-2016 06:20 AM
TLS will be the one of choice. I just have PEAP on still as I haven't pushed certs out to all my devices yet as I'm still testing. Both ways use AD as an auth source, so I'd expect the solution would be similar to both?
10-28-2016 06:23 AM
Please share screenshots of your role map and enforcement policy.
10-28-2016 06:27 AM - edited 10-28-2016 06:28 AM
Nothing special for enforcement. If they have wireless access on their account, allow them. If a mobile device has a fingerprint created, allow it. (Yes I edited the sample policy, I'll be making a seperate one eventualy)
No role mapping created yet. As laptop users are able to gain external access from their AD roles, I'm hoping to get mobile phones working similarly when entering in their AD credentials to authenticate.
10-28-2016 06:30 AM
Are you seeing the group listed for the user in access tracker under authorization?
10-28-2016 06:38 AM - edited 10-28-2016 06:39 AM
Do you mean under roles? Authorization just shows Active Directory and Endpoints repository.
I see both roles needed, 'gs ESAI Wireless Access" needed to connect to the IAP (they successfullly connect) and 'InternetAccess' needed to get past the firewall.
Edit* Or if you mean authorization under input (I was looking udner summary), then yes, they both appear there as well.
10-28-2016 08:02 AM
Could this be a cert issue?
Which cert am I supposed to import into the SmartDevices(or clients in general)? I imported the RADIUS cert from clearpass(signed by our internal CA). I'm samrting to think this is the wrong cert to put into the clients trust.
10-28-2016 08:25 AM
Earlier Tim asked for a screenshot of the Role Mapping and Enforcement policy being applied; but you only have the Enforcement policy shown; can you do the same for the Roles tab?
Also, how is the TMG firewall determining its rules? Is it talking directly to AD to determine group memberships?
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
10-28-2016 08:33 AM
I mentioned in the post with the screenshot for enforecment that there were no role mappings created, but here's proof:
TMG can apply rules to requests that come from user sets(AD groups). It will talk with AD to view the group, if the user sending the request is in the group, apply the rule.