Security

Reply
Occasional Contributor II

Active Directory filter query with a Clearpass variable?

We've got a PSK SSID tied to Clearpass via an [Allow All MAC Auth] service, that's using the Endpoints Repository, an external SQL database, Static Hosts List, and AD as authorization sources.  I'm able to leverage info from all of these sources to assign roles based on context, but I'd like to clean up the AD piece a little bit.

 

I started by trying to create the filter query to select computer objects where <some AD attribute> matches <some Clearpass variable> but no matter what I tried it wouldn't return any matches.  For example, the default Machine filter:  (&(sAMAccountName=%{Host:Name}$)(objectClass=computer)).  I think %{Host:Name} is only populated when the client does machine authentication, so I tried some others like %{Authorization:[Endpoints Repository]:Hostname}, since clients being in the endpoints repository is a prerequisite before they can hit this enforcement policy.  The idea was that in the enforcement policy I could have a simple rule like "Authorization:ADsource <filtername> EXISTS".  No luck there either.

 

Now I've just got the AD source query set to (objectClass=computer) (which returns all computers from AD and fills the authorization attributes section with a lot of ugly data in access tracker), and the enforcement policy rule is "Authorization:ADSource:<filtername> EQUALS_IGNORE_CASE %{Authorization:[Endpoints Repository]:Hostname}".  This gives me the desired end result, but the pile of computer names in access tracker/auth attributes is going to bug me.

 

So - is there a way I can use a variable in the filter query for AD to only pull results that match, for example, %{Authorization:[Endpoints Repository]:Hostname}?

Guru Elite

Re: Active Directory filter query with a Clearpass variable?

You should not modify the machine filters. Those are only used with Machine Authentication. 

 

Use this for your authentication filter:

(&(cn=%Authorization:[Endpoints Repository]:Hostname})(objectClass=computer))

Also just keep in mind that hostname is easily spoofed.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Active Directory filter query with a Clearpass variable?

Thanks Tim,

 

So the filter name actually has some impact on the operation of it?  I created a new AD source just for this purpose to avoid borking anything with our other AD auth services, fortunately.  I'll give this a shot, thanks!

 

-Josh.

Occasional Contributor II

Re: Active Directory filter query with a Clearpass variable?

That doesn't seem to be working, it doesn't return a match when I authenticate, but when I put my hostname in the attributes tab of the filter window it returns a match from AD.

 

Filter name: Authentication

Filter Query: (&(objectClass=computer)(cn=%{Authorization:[Endpoints Repository]:Hostname}))

Name: cn  Alias name: machineName  Data type: String  Enabled as: attribute.

Guru Elite

Re: Active Directory filter query with a Clearpass variable?

Do you have the [Endpoints Repository] as an authorization source?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Active Directory filter query with a Clearpass variable?

Yep, and it displays the correct value next to Authorization:[Endpoints Repository]:Hostname under authorization attributes in access tracker, but nothing from the AD source.  It's behaving like it doesn't yet know what the endpoints variable is when it queries AD (I do have the endpoints repository first in the list, and AD last, in case it mattered).

Guru Elite

Re: Active Directory filter query with a Clearpass variable?

Make sure you have both Endpoint Repository and AD source as additional authorization sources.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Active Directory filter query with a Clearpass variable?

Hi Tim,

 

Endpoint Repository is listed under authentication sources, and all 4 sources are listed under additional authorization sources.

 

-Josh

Occasional Contributor II

Re: Active Directory filter query with a Clearpass variable?

I worked with TAC on this and after testing in their lab they confirmed that it doesn't work.  They offered a workaround where we set a custom attribute via our 802.1x SSID, and then leverage that in the query filter (which does seem to work) but that's not live data and isn't going to be sufficient for our needs.  I've concluded that having all of the AD computers listed under the authorization attributes section in access tracker is worth it if it means this works, and it does.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: