Security

Reply
MVP
Posts: 111
Registered: ‎01-27-2016

AirGroup - Enforce registration

With CPPM Enforce Registration enabled, I cannot seem to get devices that use a PSK network to see each other. Such as an iPad and an AirPrinter. Each device is registered and shared in Clearpass. Each has the user it is to be shared with. I can see the devices when I issue "show airgroup policy-entries" however, I just cannot get the iPad to see the printer. What am I missing? This works fine if I auth on a network with 802.1x with a username that is also in the "Shared with" list. 

 

If I remove the shared with users all-together, the ipad can see the printer but this defeats the purpose. 

 

Access Tracker shows the correct user in the Radius response. 

 

I am sure it is something simple I am overlooking. Thanks in advance!

 

 

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: AirGroup - Enforce registration

You would need to use MAC-authentication on your PSK SSID with some kind of
registration and return back a username in the access accept request.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 111
Registered: ‎01-27-2016

Re: AirGroup - Enforce registration

Thanks Tim.

 

The built-in Airgroup Authorization Service seems to do this already. I see an entry in Access Tracker that matches the MAC address of the iPad and I see the user name in the response. This however does not work. 

 

I did configure the PSK SSID to do MAC Auth. I also attempted to configure another Device MAC Authentication service using the wizard but am unsure how to configure it to send the user name back since this is a MAC-Auth.. it obviously needs to pull it from the Guest Repository but not clear on what to configure. Is there a how-to guide anywhere? I have search the forums with no luck. 

 

 

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: AirGroup - Enforce registration

The AirGroup authorization MAC authentications are only for AirGroup.



Do you require devices connecting to the PSK network to be registered via
the ClearPass Device Registration portal?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,232
Registered: ‎07-20-2011

Re: AirGroup - Enforce registration

Are you sharing it with the role that the PSK device is landing on ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 111
Registered: ‎01-27-2016

Re: AirGroup - Enforce registration

I am sharing it with a user name "Shared with".

My goal is to allow users to register devices and share them with there other devices but not see other users devices If I use a Role, wont this share them with everyone who hits the role?

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: AirGroup - Enforce registration

[ Edited ]

You would use the “Personal” option in this case which only shares it with the device's owner

 

To return the username, simply create an enforcement profile with the following:

 

radius-return-sponsor-name.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 111
Registered: ‎01-27-2016

Re: AirGroup - Enforce registration

Thanks again Tim. 

 

I didnt explain fully. They may share the device with other users, maybe fellow students. 

 

And I was also trying to keep the issue basic.. let me add one more thing...

 

This is a retirement community. We have had help desk technitions register the users devices on there behalf for a while now in preperation of flipping the "enforce registration" switch. So the Sponsor will show the Help Desk technitions name... we dig ourselves a hole here? Any way to get it use the "Shared with" name instead of the SponsorName to allow devices to see one-another?

Guru Elite
Posts: 8,330
Registered: ‎09-08-2010

Re: AirGroup - Enforce registration

Honestly, your best bet would be to maybe use the API to correct the registrations. If you add a workaround, the problem is only going to get worse.

 

You could write a quick python script that greps the Shared With field and makes it the sponsor name and changes the registration type to personal. Then in the future, you can enable the sponsor field so the help desk can enter the person's username instead of registering it to themselves.

 

If you want to go ahead with what you have now, you can try returning %{GuestUser:airgroup_shared_user}. I have not tested this but it may work for you. Also, be aware that this will cause problems if more than 1 user is ever specificed.

 

Like I said, it will likely save you more time in the long run to fix the existing entries.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 111
Registered: ‎01-27-2016

Re: AirGroup - Enforce registration

Thanks Tim. I think I may have figured out how the correct user is being passed back without the need to use the SponsorName field. My brain hurts for tonight though! Once I map it out, I will post the details here. 

 

Thanks as always for your help! 

Search Airheads
Showing results for 
Search instead for 
Did you mean: