Security

Reply
Contributor I

Aerohive Wireless and Clearpass

Hi All,

 

Just wanted to you ask you guys a few questions with regards to Aerohive wireless and Clearpass.

 

I am doing an install this week, which involves setting up machine authentication for devices that connect to Aerohive wireless.

 

Can you confirm for me why we need to add a custom attribute ? What is the significance of this issue and is it needed?

The way I have machine authentication setup at the moment is to validate that the user has a valid computer account and if they have a valid username and password. Is this enough?

 

In my enforcement I only want to send back a VLAN ID by using the Radius filter ID attribute. Would this work or would I need the other attributes mentioned in the other posts?

 

I look forward to hearing from you guys.

Guru Elite

Re: Aerohive Wireless and Clearpass

Which custom attribute are you referring to?

 

With Aerohive, you can return back a value using standard IETF filter-ID which can be used as the role by the AP.

 

Screen Shot 2017-08-08 at 5.09.17 PM.png


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Aerohive Wireless and Clearpass

Hi,

 

I was checking if I needed the following attributes as referred to on other posts:

 

Tunnel Mode Type

Tunnel Type

Tunnel Private Group-ID

 

All I done was return the filter-id value back to the AP's. This seems to be working fine.

 

I am also setting up machine authentication for this deployment. This is working fine, but can you confirm why I need to configure "Boolean" attribute what will not work if I do not have this?

 

 

 

 

 

Guru Elite

Re: Aerohive Wireless and Clearpass

The Tunnel attributes are used if you want to return back a VLAN name.

 

Regarding the endoint attirbutes, they're not needed for basic setups. Custom attributes can be used in more advanced setups where context is required from both identities.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Aerohive Wireless and Clearpass

Hi,

 

Sorry for the late reply on this.

I still need a bit of help with this install.

 

I am still having a bit of trouble with Machine and User authentication.

I aim to give you all the information here so you can guide me.

 

Authentication Scenarios

Staff Machine, which is logged into by a Staff user. They are getting the Staff VLAN, which is working fine.

Student Machine with a Student laptop it is getting Staff VLAN instead of Student.

Non-Staff machine should go into Staff VLAN i.e should be user authenticated. It asks for username and password and access tracker shows a timeout. This is falling into the default Clearpass role of other and Enforcement is matching the default deny access profile.

Student logs into Staff machine and should go to the guest VLAN. This is going to the staff VLAN instead.

Student logs into Student domain machine. This should go to the student VLAN, but instead is going to Staff VLAN.

 

I have attached a copy of the roles and enforcement configuration.

 

In my enforcement profiles I am only sending the filter ID value back to Aerohive, which is the VLAN ID.

 

Hope you can point me in the right direction.

Contributor I

Re: Aerohive Wireless and Clearpass

Hi,

 

Sorry for the late reply on this.

I still need a bit of help with this install.

 

I am still having a bit of trouble with Machine and User authentication.

I aim to give you all the information here so you can guide me.

 

Authentication Scenarios

Staff Machine, which is logged into by a Staff user. They are getting the Staff VLAN, which is working fine.

Student Machine with a Student laptop it is getting Staff VLAN instead of Student.

Non-Staff machine should go into Staff VLAN i.e should be user authenticated. It asks for username and password and access tracker shows a timeout. This is falling into the default Clearpass role of other and Enforcement is matching the default deny access profile.

Student logs into Staff machine and should go to the guest VLAN. This is going to the staff VLAN instead.

Student logs into Student domain machine. This should go to the student VLAN, but instead is going to Staff VLAN.

 

I have attached a copy of the roles and enforcement configuration.

 

In my enforcement profiles I am only sending the filter ID value back to Aerohive, which is the VLAN ID.

 

Hope you can point me in the right direction.

Contributor I

Re: Aerohive Wireless and Clearpass

Hi,

 

Sorry for the late reply on this.

I still need a bit of help with this install.

 

I am still having a bit of trouble with Machine and User authentication.

I aim to give you all the information here so you can guide me.

 

Authentication Scenarios

Staff Machine, which is logged into by a Staff user. They are getting the Staff VLAN, which is working fine.

Student Machine with a Student laptop it is getting Staff VLAN instead of Student.

Non-Staff machine should go into Staff VLAN i.e should be user authenticated. It asks for username and password and access tracker shows a timeout. This is falling into the default Clearpass role of other and Enforcement is matching the default deny access profile.

Student logs into Staff machine and should go to the guest VLAN. This is going to the staff VLAN instead.

Student logs into Student domain machine. This should go to the student VLAN, but instead is going to Staff VLAN.

 

I have attached a copy of the roles and enforcement configuration.

 

In my enforcement profiles I am only sending the filter ID value back to Aerohive, which is the VLAN ID.

 

Hope you can point me in the right direction.

Contributor I

Re: Aerohive Wireless and Clearpass

Please see attached

Guru Elite

Re: Aerohive Wireless and Clearpass

But you need to use a VLAN enforcmenent, not filter ID. Filter ID is used to return the group name (optional).

Also, it's generally not recommended to flip VLANs like that.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Aerohive Wireless and Clearpass

Thank you for your response. 

 

I shall change this to a VLAN enforcement. 

Can you confirm if my conditions are fine i.e my roles and enforcement for the scenarios I described? Did you see my roles and enforcement attachments. 

(Also i'm not sure if my previous post posted around 5 times if so I am sorry as when I was refreshing the page my new post would disapper)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: