Security

With CPPM Enforce Registration enabled, I cannot seem to get devices that use a PSK network to see each other. Such as an iPad and an AirPrinter. Each device is registered and shared in Clearpass. Each has the user it is to be shared with. I can see the devices when I issue "show airgroup policy-entries" however, I just cannot get the iPad to see the printer. What am I missing? This works fine if I auth on a network with 802.1x with a username that is also in the "Shared with" list. 

 

If I remove the shared with users all-together, the ipad can see the printer but this defeats the purpose. 

 

Access Tracker shows the correct user in the Radius response. 

 

I am sure it is something simple I am overlooking. Thanks in advance!

 

 

You would need to use MAC-authentication on your PSK SSID with some kind of
registration and return back a username in the access accept request.

Thanks Tim.

 

The built-in Airgroup Authorization Service seems to do this already. I see an entry in Access Tracker that matches the MAC address of the iPad and I see the user name in the response. This however does not work. 

 

I did configure the PSK SSID to do MAC Auth. I also attempted to configure another Device MAC Authentication service using the wizard but am unsure how to configure it to send the user name back since this is a MAC-Auth.. it obviously needs to pull it from the Guest Repository but not clear on what to configure. Is there a how-to guide anywhere? I have search the forums with no luck. 

 

 

The AirGroup authorization MAC authentications are only for AirGroup.



Do you require devices connecting to the PSK network to be registered via
the ClearPass Device Registration portal?

Are you sharing it with the role that the PSK device is landing on ?

Get Outlook for iOS

I am sharing it with a user name "Shared with".

My goal is to allow users to register devices and share them with there other devices but not see other users devices If I use a Role, wont this share them with everyone who hits the role?

You would use the “Personal” option in this case which only shares it with the device's owner

 

To return the username, simply create an enforcement profile with the following:

 

Thanks again Tim. 

 

I didnt explain fully. They may share the device with other users, maybe fellow students. 

 

And I was also trying to keep the issue basic.. let me add one more thing...

 

This is a retirement community. We have had help desk technitions register the users devices on there behalf for a while now in preperation of flipping the "enforce registration" switch. So the Sponsor will show the Help Desk technitions name... we dig ourselves a hole here? Any way to get it use the "Shared with" name instead of the SponsorName to allow devices to see one-another?

Honestly, your best bet would be to maybe use the API to correct the registrations. If you add a workaround, the problem is only going to get worse.

 

You could write a quick python script that greps the Shared With field and makes it the sponsor name and changes the registration type to personal. Then in the future, you can enable the sponsor field so the help desk can enter the person's username instead of registering it to themselves.

 

If you want to go ahead with what you have now, you can try returning %{GuestUser:airgroup_shared_user}. I have not tested this but it may work for you. Also, be aware that this will cause problems if more than 1 user is ever specificed.

 

Like I said, it will likely save you more time in the long run to fix the existing entries.

Thanks Tim. I think I may have figured out how the correct user is being passed back without the need to use the SponsorName field. My brain hurts for tonight though! Once I map it out, I will post the details here. 

 

Thanks as always for your help! 

As promised, a follow-up to my "issue" 

 

First, I inherited this configuration hence my lack of understanding. 

 

The goal here is to allow residents to see only there own AirGroup devices by using Clearpass enforcement. 

 

The non-browser capable devices were being registered by a help desk techinition as a Guest Device. They would configure the Device MAC address as well as a list of users to be shared with. The user in this case is explained below.  All these devices would be "Airgroup Servers" such as AirPrint capable printers and Apple TV's. 

 

The browser capable devices are connecting to a PSK network and redirected to a registration Captive Portal. They would enter a username (same as defined on the Guest Device above) in the portal. The portal would create an Entry in the Endpoint Repositry, mark the device as Known and also add a Username entry into the Attributes. These devices would then MAC Trac when connected and an enforcement policy would pass back the Username to the controller. 

 

We now have AirGroup Servers with a list of Users that can Share the device. We also have a list of clients that have a properly mapped username. With these two pieces of information passed from Clearpass to the Controller, they can now use AirGroup properly. We can turn on Clearpass Enforcement and lock them down to their own devices. 

 

The better solution, IMO, is to have the clients use a 802.1x network. This however was not possible for this client and a PSK network was utilized instead.