Security

Reply
Contributor II
Posts: 48
Registered: ‎01-07-2013

Assigning roles to devices

Hi

 

We deliver a service with wireless network and authentication based on Aruba Instant and ClearPass to franchise companies.

ClearPass, Active Directory and common application servers are placed in a central network.

 

Franchise devices need to have different roles on depending on the usage in the local store.

Device type "A" should only be able to access internet and printers at the local LAN.

Device type "B" should have access to all resources on the on local LAN and also in the shared services network.

Only devices of these two types should be allowed to connect. Unclassified devices should be rejected.

Devices authenticates with username and password. Depending on the device type access rights should differ. Devices are not member of AD and devices can be IOS, Android etc

 

Defining roles with different firewall rules in IAP with ClearPass is easy.

 

My question is:
What would be the most convenient way of letting the local device administrator at each store to assign a device as type "A" or "B"?

I don't want to give these persons access to edit attributes in the Endpoints table. Because it's not possible to only filter out "his" devices.

 

OnBoard with different profiles would solve this, but the cost for OnBoard is to high for this customer...

 

Any ideas how to solve this is appreciated

 

Thanks

Jonas

Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Assigning roles to devices

You could use the Device Registration feature in ClearPass guest to allow the users to register a MAC address into a certain role.

Even though this lives in guest, it does not require guest licenses.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: Assigning roles to devices

Will this implementation limit the device to do MAC authentication?

Or can I do username and password authentication and pick the role from the device entry in Guest Device Repository during authentication?

 

Otherwise I agree this is a god solution that will provide the local staff to add, edit and remove devices.

 

Regards

Jonas

Guru Elite
Posts: 8,641
Registered: ‎09-08-2010

Re: Assigning roles to devices

You could continue to do 802.1X authentication and use the MAC registration
for authorization.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: Assigning roles to devices

So, how do I implement this?

Will the device always get the assigned role during logon or do I need to configure role mappings to get this?

 

If the device always get the assigned role it's a easy task to pick this in the enforcement policy and return correct role attribute to IAP.

 

Regards

Jonas

Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: Assigning roles to devices

Hi

 

I have added the device as a Guest device and assigned the role Contractor.

In the authentication service I have added Guest Device Repository as Authorization source.

In the Guest Device Repository authentication source I tried to att a new attribute role_name.

But I don't get that information in Event Tracker when the client connect.

 

Have I missed some essential steps?

 

Regards

Jonas

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Assigning roles to devices

You should be able to use the role_id field which has an integer value which maps to a Clearpass Guest role as defined in the [Guest Roles] role mapping policy. By default [Contractor] is 1.

 

If you amend the authentication source you should be able to add the role_id attribute and then use this to determine the role.

David
ACDX #98 | ACMP | ACCP
Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: Assigning roles to devices

Hi

 

I have tried to add the attribute, but I don't get the expected result.

Under Authorization attributes in Action Tracker I can only see the default attributes for Guest Device Repository.

In the Authentication source definition I have made the modifications according to the attached screen shot.

See attached pictures

Filter Query string have not been edited at all. Do I need to edit this?

 

Regards

Jonas

 

MVP
Posts: 226
Registered: ‎03-03-2011

Re: Assigning roles to devices

Yes the filter string would need to be amended to extract the role_id attribute as well:

 

SELECT user_credential(password) AS User_Password,
CASE WHEN enabled = FALSE THEN 225
WHEN ((expire_time is not null AND expire_time <= now())) THEN 226
ELSE 0
END AS Account_Status,
sponsor_name, role_id
FROM tips_guest_users
WHERE ((guest_type = 'DEVICE') AND (user_id = UPPER('%{Connection:Client-Mac-Address-Hyphen}')))

David
ACDX #98 | ACMP | ACCP
Contributor II
Posts: 48
Registered: ‎01-07-2013

Re: Assigning roles to devices

Hi

 

I tried the SQL query you sent, but I get this error message when I save:

The filter has been saved but has the following error:
Invalid SQL syntax - ERROR: column "role_id" does not exist Position: 238

 

Do you have any advice how to proceed?

Regards Jonas

Search Airheads
Showing results for 
Search instead for 
Did you mean: