Security

Reply

ClearPass Tips and Tricks :Custom Attributes /Insight Repository /Web-Login(Server-Initiated)

This is an illustration of a recent scenario during the implementation process for one of our customers.

 

Customer Requirements:

Solution

- Use ClearPass Onguard Persistant Agent as NAC solution for the following devices:

  • Domain Windows Laptops 
  • Non-Domain Windows Laptops
  • Mac OS X

-  How to distribute the Onguard Persistent Agent based on the device type:

  • Domain Windows Laptops : Distribute the Onguard Persistent Agent using a Windows Group Policy (GPO)
  • Non-Domain Windows Laptops and Mac OS X : Redirect the user to a Captive Portal page to download the Onguard Agent

- Allow users with Non-Domain Devices to Bypass the Captive Portal page to download the Onguard Agent and provide Internet Only Access

 

Software Requirements:

- ClearPass:

  • Policy Manager License
  • Guest Module License
  • Onguard Module License
  • Version 6.3.6.x and Up

- Aruba Controller

  • Version 6.4.2.1 and up
  • Aruba Policy Enforcement Firewall License

To accomplish this I will  use the following ClearPass features:

  • Endpoint Database (Custom Attributes) 
  • Post Authentication Enforcement Profile 
  • Insight Repository (Successful-Login-Count)
  • Web-Login (Server-Initiated)

FLOWCHART:

              Visio-Flowchart.png

Note: This flowchart only includes the logic for the Agent Bypass configuration 

 

CLEARPASS CONFIGURATION

 

1 - Endpoint Custom Attributes

We can use custom attributes to tag devices and then use that tag to make a decision on the enforcement policy

1.1 - Create attribute BYPASS-ATTR that will be use to tag the device if the user decides to bypass and not download the Onguard Agent

 

Creating Custom Attribute.png

 

2 - Post Authentication Enforcement Profile

The post authentication enforcement profile allows us to make updates to certain/devices and in this case to the endpoint database , we will create two post auth enforcement profiles: 

 

2.1 - The BYPASS-ATTR-UPDATE will add the BYPASS-ATTR=Yes to the device during the WEBAUTH when the user bypass the installation of the Onguard Agent 

Post Auth Profile - Bypass Attr - Yes.png

 

 2.2 - The NO-BYPASS-ATTR-UPDATE will add the BYPASS-ATTR=No , the first time the device connects past 12AM which in this case the user will be redirected to download the Onguard Agent.

Post Auth Profile - Bypass Attr - No.png

 

3 -  Web Login Page 

This will be the page we will use to redirect the users to download the persistent Onguard Agent.

3.1- Create a Web Login Page with the following :

  • Server-Initiated login method , the web authentication will be processed by the ClearPass server but in order for this to work the mac address of the device needs to be included in the browser
  • Anonymous Login (Creates a Guest Account with no limits)
  • The page will present which Onguard Agent to installed based device OS  (Mac or Windows)
  • Custom button "EXTERNAL"
  • Assign a Login Delay of 25 seconds to give time for the CoA/PostAuth Attributes that is added during the WEBAUTH service and 802.1X Reauth to occur 

weblogin page 1.png

weblogin page 2.png

 weblogin page 3.png

weblogin page 4.png

Note: Once the Web Login is created the guest account will show up in the guest user repository , make sure that this account doesn't get deleted

Guest Account.png

 

4- Web Auth Service

The web auth service will be use to do the following:

  • Do a successfull authentication using the Anonymous Guest Account 
  • Tag device with the BYPASS-ATTR-UPDATE-PROFILE / BYPASS-ATTR=Yes
  • Perform a CoA

4.1 - First we need to define the Guest User Repository as the Authentication Source and use it as an Authorization Source

web auth service 2.png

 

web auth service 3.png

 

4.2 - In the WEBAUTH Role Mapping we will label the Anonymous Guest Account with the tips BYPASS-ROLE (This portion is OPTIONAL) , I used this method because it makes easier when troubleshooting in access tracker and determine what logic should be applied based on the label

web auth role maping.png

 4.3 - Use the tips BYPASS-ROLE as a condition to apply the Post Auth Enfocerment Profile and the CoA

web auth enforcement policy.png

 

5- 802.1x Auth Service

The 802.1x Auth Service will be use for the following purposes:

  • Authenticated 802.1x capable devices and provide access based on the posture and type of device.
  • Redirect a NON-Domain device (Windows/Mac OSX) to download the agent if these have an "UNKNOWN" posture and connected to wireless network for the first time since 12AM.
  • Provide Internet Only Access if the device bypassed the Onguard Agent page and has been connected more than once since 12AM.

5.1 - The PERSISTENT-ONGUARD-PROFILE Radius enforcement profile will be use to send back to the controler the Aruba-User-Role = PERSISTENT-ONGUARD-CP-ROLE and this controller role will allow the user to be redirected to the Onguard Agent Download Page

onguard-role.png

 

5.2 - The INTERNET-ACCESS-PROFILE Radius enforcement profile will be use to send back to the controler the Aruba-User-Role = INTERNET-ACCESS-ROLE and this controller role will be use for users that bypass the Onguard Agent download page

internet only enforcement profile.png

 

5.3 - 802.1x Role Mapping will be use for the following purposes: 

  • Label the device with a Successful-Login-Count ≤ 1 with the FIRST-LOGIN-PAST-12AM tips role
  • Label the device with a Successful-Login-Count ≥ 2 with the NON-FIRST-LOGIN-PAST-12AM tips role
  • Label the device tagged with the BYPASS-ATTR = Yes with the BYPASS-ROLE tips role

Role Mapping.png

5.4- The 802.1x Enforcement Policy uses the following logic :

  • Third Rule: A brand new NON-Domain Computer (Windows or Mac OSX) with an "UNKNOWN" posture will be redirected to the Onguard Agent Download Page.
  • First Rule: If the user decides to Bypass the Onguard Agent Download Page then the user will get the Internet Only access user-role.
  • Second Rule: When a user connect using a device tagged with the BYPASS-ATTR=Yes , comes back and authenticates for the first time after 12AM it will be redirected to the Onguard Agent Download Page.

 

802.1x enforcement policy.png

 

6- Validation

6.1 - A brand new NON-Domain Computer (Windows or Mac OSX) performs an 802.1x authentication and it has an "UNKNOWN" posture it will be redirected to the Onguard Agent Download Page.

2015-02-26 22_19_20-successful authentications.png

802.1x access tracker-1.png

 802.1x access tracker successful login count=1.png

 

6.2 - The user is presented with the Web-Login (Server-Initiated) / Onguard Agent Download Page.

2015-02-26 13_31_23-Login.png

 

 6.3 - Once the user clicks on the "EXTERNAL ACCESS" button it will initiate the WEBAUTH with the Anonymous Login using the Guest Account=72306207, there's also a "25 Seconds" Delay that is added to the Web Login so there's enough time for the whole process to complete.

2015-02-26 22_23_20-successful authentications.png

2015-02-26 13_31_52-https___192.168.1.100_guest_download_agent_page.php__browser=1.png

 

6.3.1- Here's closer look at some of the details of WEBAUTH request from the Summary Tab

webauth authenticatication.png

 

6.4- When the BYPASS-ATTR=Yes tagged device performs the 802.1x reauth it will receive the Internet Access only user-role 

2015-02-26 22_40_30-successful authentications.png

802.1x auth - Internet Only.png

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: