Security

Reply

Cisco VPN - iPad - endpoint check

I'd like to allow iPads to connect to Cisco VPN using EAP-PEAP.  To keep non-corporate devices from connecting by using their credentials, I'd like to confirm some of the endpoint details.  Problem is, the wifi MAC is not sent in the RADIUS message, so the endpoint attributes are not shown.  I need to figure out how to identify the iPad when it connects so I can allow/disallow it.

 

One thing I noticed is that the UDID of the iPad is sent as a Cisco AV Pair attribute.  I'm wondering if I could somehow leverage this.  The endpoint repository already has this attribute since ClearPass syncs with the devices' MDM server.  Is there anyway to take the AV Pair attribute from the request, search for it in the endpoint repository, and then confirm that device is enrolled in MDM?

 

Other ideas are welcome.  Thank you.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Cisco VPN - iPad - endpoint check

I don't have any way to test this, but here is my stab:

 

Try creating a custom authentication source that checks the Endpoints Repository:

 

compnerd-vpn.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Cisco VPN - iPad - endpoint check

Man, that looks like it would do the trick.  I'm away from the office until Monday, but will give it a shot then.  Will report back. Thanks Tim!

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.

Re: Cisco VPN - iPad - endpoint check

Was I supposed to create a local SQL authentication source that mirrors the Endpoint Repository and copy/paste this in there?  If so, I'm getting an error about syntax being incorrect.  The other issue is the Cisco-AVPair from the VPN requests contains "mdm-tlv=device-uid=", with the UDID following.  So I need the filter to see if it contains the UDID, not a complete match.  Any thoughts?


Thanks!

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Cisco VPN - iPad - endpoint check

Ah. We can't do authentication because you're doing an authorization. The attribute name doesn't matter (and probably should be called corpmacaddr), but just be sure to change it in the query.

 

Try this:

 

jay-ciscovpn-1.PNG

 

jay-ciscovpn-3.PNG

 

Then in your enforcment, just see if that attribute EXISTS.

 

jay-ciscovpn-4.PNG

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Cisco VPN - iPad - endpoint check

Thanks Tim.  We're getting closer, but having an issue with the filter:

 

WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =SELECT mac_address as corpudid FROM tips_endpoints WHERE '%{Radius:Cisco:Cisco-AVPair}' = 'mdm-tlv=device-uid=%{Endpoint:Device UDID}', error=No values for param=Endpoint:Device UDID
ERROR ExtDB.DBQuery - execute: Failed to construct filter=SELECT mac_address as corpudid FROM tips_endpoints WHERE '%{Radius:Cisco:Cisco-AVPair}' = 'mdm-tlv=device-uid=%{Endpoint:Device UDID}'
ERROR ExtDB.DBQuery - Failed to get value for attributes=Corp-UDID]

 

I take it that the "Endpoint:Device UDID" portion is incorrect?  I tried other things like "Endpoint:Device-udid" and "Endpoint:UDID" but get the same result.  Is there some way to examine the tips db to determine what the actual parameter is?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite

Re: Cisco VPN - iPad - endpoint check

Can you look at a client in the Endpoints Repository and see what attribute
is listed on the attributes tab?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Cisco VPN - iPad - endpoint check

"UDID"

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: