Security

Hi Forum,

 

I set up CPPM to work with Juniper EX switches to enforce vlan, I used the aes.arubanetworks.com solution and it works fine. For printers, I defined a role called 'company printers' and made a role mapping with (Authorization:[Endpoints Repository]:Category  EQUALS  Printer)   role name company printer. On my wired enforcement policy I added a rule (Tips:Role  EQUALS  company printers) action "printers vlan" to push back the printers vlan to the EX switch.

 

Here is what I'm not sure about:

In order for a device (printer) to be profiled, it would need to -at least- request a DHCP address. After that, my role mapping can read a device category and enforce a role. Is this at all true? without manually adding my printers to the endpoint database, is there any other way to allow a printer to be profiled without allowing it to the network? should I allow all devices in (to be profiled) and then enforce my policy?

 

Any input is Highly appreciated. 

 

thanks,

 

You would add a rule to the top that says Endpoint Category NOT_EXISTS and return a DACL that only allows DHCP so that devices can be profiled. Be sure the profiler is enabled for the service.


Thanks,
Tim

Thanks Tim,

 

I was looking at the profiler on the service and it asking me to select an action! should I chose Juniper session time out since I'm working on juniper switches? and what will that session time out do?

Tim,

 

So I got the profiler working but here is the issue that I'm facing:

 

aruba APs connected to the Juniper switches aren't being allowed into the switch. The mac auth service I created looks at the mac OUI and would push a vlan back to the switch but the aren't passing the check. Any clue on how to get this working?

 

Can you show the authentication request from access tracker?


Thanks,
Tim

Before it use to give me this error:

RADIUS

[Endpoints Repository] - localhost: User not found. MAC_AUTH: No password in request. Not attempting MAC authentication Cannot select appropriate authentication method

 

So I added EAP-MD5 as an auth method and now it looks like it is working as follow:

AP comes in get in the Endpoints DB, it reboots and comes back with OUI of Aruba Networks and CPPM will send access points vlan and Juniper terminate session, APs reboots and comes back with OS Family Aruba and Category of access point so CPPM will send an AP vlan to the switch. This is working great per below screen cap:

 

 

I would like to ask you, how do I deal with security cameras and printers with static AP addresses? In the above, CPPM is a dhcp helper on the switch and it is able to profile the OS family and Category, How can I achieve this on a statically assigned IP devices?

 

You likely need to tell the switch to send the MAC address as the password. You shouldn't have to set up EAP methods for MAC-auth. What version of code are you running on your switches?


Thanks,
Tim

Hi Tim,

 

The EX switches are running:

EX4300 : jinstall-ex-4300-13.2X51-D36.1-domestic-signed.tgz

 

thanks,

Make sure that the interface is configure this way:
set protocols dot1x authenticator interface <INTERFACE-NAME> mac-radius

In ClearPass add a rule under your Policy enforcement that if the device hasn't been profiled then return a dead end VLAN that you allow the device to get profiled for a short period of time and then CoA the device

Thanks Victor,

So far I tested with an aruba AP and it is working fine since ArubaAPs are requesting a dhcp. I will test today with a device that have a static address and see how it goes.

 

From your experience, if a device has a static IP would it still be profiled upon performing mac auth?

it might be an issue as the profiling uses the DHCP information being send to CPPM. you do have some other profiling options like snmp scanning which might be able to help out.