Security

Reply
Highlighted
Occasional Contributor I

Clearpass Endpoint Whitelisting

Hi Guys, could you help me with the below question?

 

How to create a wireless 802.1x policy for the following - authenticate user AD, a whitelist of profiled devices and deny everything else ?

 

IS this possible ?
If so How to do it ?

 

Regards

Jack 

Occasional Contributor I

Re: Clearpass Endpoint Whitelisting

Sure, add the Endpoints Repository as an authorization source and have your Enforcement policy use conditions from it.

 

exampleCapture.JPG

Occasional Contributor I

Re: Clearpass Endpoint Whitelisting

Thanks for a quick response

Here is what ive configured so far, however as per below pickture and from my understanding, when i Authenticate with Contractor account Clearpass shhould apply Deny Access Profile due to Endpoint Status as Unknown 

Unfortuntely Contractor can still connect and i cannot blocked by apllying below configuration ?

Screen Shot 2018-04-16 at 22.04.12.png

 

Occasional Contributor I

Re: Clearpass Endpoint Whitelisting

 

IsProfiled is not the same as Status=Known

 

So the device could be profiled but not known. This would not match the first two rules and move down to the Contractor rule at 5. Enforcement Policies only allow Match ALL for conditions. They don't allow you create rules that Match ANY. For that, you need to use Role Mapping to give it a role, then use Tips:Role in your Enforcement Policy to give it [Deny Access Profile]

 

 

 

Occasional Contributor I

Re: Clearpass Endpoint Whitelisting

Thanls for a quick reply again:)

What im trying to to do is to have a control a eg(Switch Button) to trigger either allowed endpoints or deny endpoints by switching in between Known and Unknown status 

For example If im an Network Admin and ive got an contractor coming with his own device I want to be able to either approve his device by selecting known endpoint or decline and not approve by selecting unknown status.

Can I do all above by using Role Mapping and Enforcement Policy ?

Also Do you know how to trigger a policy rerfesh by force in Clearpass ?

Please see below picture, Very simple policy right :) 

Everything works when Endpoints is in Known status, however when i change to unknown and reconect the client i can still connect even when ive changed the status to unknown 

To retriger Status change and sync with the policy i have to forget the conection and reauthenticate 

Are the any ways to make those chages on the fly so when i change the endpoint status it will immediately sync with the policy ?

Screen Shot 2018-04-16 at 22.46.23.png

Aruba Employee

Re: Clearpass Endpoint Whitelisting

Hi,

 

The endpoint repository has 300 seconds (5 mins) cache timeout for the authorization data. If you reconnect the devices within 5 mins after changing the status to Unknown, it will not reflect during the policy evaluation as the policy server takes the data from cache.

 

Endpoint_cache.png

You can reduce the cache timeout further or set it to 0 and disable the cache. Disabling the cache will make query to the endpoint table for every authentication and the Status = Unknown can be read immediately after the change.

 

 


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Occasional Contributor I

Re: Clearpass Endpoint Whitelisting

Hi There 

This is exactly what ive been looking for :) 

Ill accept this as a solution, however there is one more thing 

Do you know how to trigger Known or Unknown state by going through onboarding process 

I just created an Enforcement Profile (If Enpoints are unknown than deny acces) This works very well, thanks to your advice 

What I want to do now is to automate this process so every onboarded device will trigger the status change to known after onboarding is completed. Ive tried Update Endpoint Status Enforcement on Onboarding Service but the status doesnt change 

 

Many Thanks 

Jack 

Aruba Employee

Re: Clearpass Endpoint Whitelisting

Hi,

The Applicaiton based authorization method (App Authentication) for OnBoard Pre-Auth/Authorization would not populate the MAC address as the end-host identifier, so updating MAC address as know may not be possible.

 

You can try the Authorization Method as "RADIUS" under Provisioning Settings and update the endpoints status to known during the OnBoard Per-Auth/Authorization. But, you need to create a radius service for this and also ensure the redireciton to onboard page contains the cleint MAC address in the URL (which is expected with L3 redirections). 

 


Thank you,
Saravanan Rajagopal

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: