Security

Reply
Highlighted
Aruba
Posts: 1,296
Registered: ‎08-29-2007

Clearpass Guest - Self registration & self sponsorship (email address validation) - August-MHC

[ Edited ]

NOTE: This solution has been superceded.  Please refer to here for a simpler and more recent solution.

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Contributor II
Posts: 48
Registered: ‎05-14-2012

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Thank you.

New Contributor
Posts: 1
Registered: ‎08-04-2014

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Great article mate, I was just discussing this requirement with a customer the other day!
Community Administrator
Posts: 2,276
Registered: ‎12-03-2013

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Wow! First day of the contest,you must have been sitting waiting to pull the trigger on your tutorial.

 

Really great document.

CWNA, ACMP, Security +
New Contributor
Posts: 1
Registered: ‎03-18-2013

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Can't seem to download the PDF...

 

Thanks!

Occasional Contributor I
Posts: 6
Registered: ‎07-14-2013

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Michael

I am attempting an iteration of this where I have added an onsite sponsor using sponsors email address. My issue is the logic used in the Guest MAC Auth enforcement policy. I'm very new to Clearpass but do understand conditions rules methodology.

 

Extract from the PDF file

Guest Mac Auth enforcment.jpg

The first condition tests Tips:Role as equal to demo-Unsponsored and it also equals demo-sponsored and it doesn't equal demo-expired.

Surely it can never equal two different values so this test will never be true.

 

Conditions 2, 3 and 4 also have additional tests that would be superfluous.

 

Did you mean to test Tips:Role for each of these.

 

In your policy conditions:

Condition 1: Non-Expired, Sponsored & Unknown Device – first MAC Authentication after sponsorship.
Note: Originally the role evaluation was set to ‘Evaluate-all’, but now set to ‘First-applicable’ so this rule
will probably never be hit, but has been left in.
Update Endpoint Known and change attribute in Endpoint DB, RoleID=5
Send Aruba-User-Role=demo-sponsored.
Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires}
Username = %{Endpoint:Username}

 

Condition 2: Non-Expired, sponsored & Unknown device – Guest account that has been
sponsored by a different device. This is not likely with a short Preauth session, but for longer
sessions, this may be relevant. Basically, the account is validated with a different device on a
different network (requires Clearpass is accessible, typically over internet). The original device
connects, but it is still Unknown. Alternatively, this is the first mac-auth after sponsorship.
Update Endpoint Known and change attribute in Endpoint DB, RoleID=5
Send Aruba-User-Role=demo-sponsored.
Send session-timeout= demo sponsored session timeout (4 hours)
Username = %{Endpoint:Username}

 

The tests seem to be for the same thing. Surely you would need to find something that would be different between the two that could be tested for that would make one test true and the other false.

 

Are my assumptions correct and con someone suggest alternative tests.

 

Thanks in advance guys

Wayne

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Condition 1 can probably be removed as I said. The solution changed over time, but I just left that rule in.

 

Condition 2 will be hit if the account logs in with an unknown device.  Basically registers with one device, but then confirms the email with a different device.  Since the act of confirming the email, does not trigger a CoA, this will also be hit for the first mac-auth after sponsorship.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Occasional Contributor I
Posts: 6
Registered: ‎07-14-2013

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Thank you for replying Michael.

 

My questioning this setup wasn't what it was achieving but how it was achieving it. I couldn't grasp how testing the Tips:roles to see if it equals demo-Unsponsored and also equal demo-sponsored would work. When Tips:roles equals demo-sponsored then it can't equal demo-Unsponsored so this test can never have a true answer.

Surely when using the AND statement you need to be testing different fields.

 

My thoughts would be that the correct test for 2, 3 and 4 would be:

 

 2.          (Tips:Role EQUALS demo-Sponsored)

     AND (Authorization:[Endpoints Repository]:Staus EQUALS UnKnown)

 

3.           (Tips:Role EQUALS demo-Sponsored)

     AND (Authorization:[Endpoints Repository]:Staus EQUALS Known)

 

4.           (Tips:Role EQUALS demo-PreAuth)

 

Would this have be a correct assumption.

 

At the moment I don't know the Wireless and Clearpass technologies that well so strugle to understand the sequences. The other thing I am trying to come to terms with are the databases. How many are there? I suspected 3 reading your design (Insight, Local SQL and demo MAC-Guest check [Generic SQL]) but later comments about endpoint database etc mean I am now unsure how many databases are in use. The other thing I think I might have picked up now is how some of these databases get updated (E.G. Enforcement Profiles) But I don't think that covers them all.

 

Any helpfull comments greatfully accepted.

 

Wayne

 

Contributor I
Posts: 32
Registered: ‎10-05-2010

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

[ Edited ]

If this is a duplicate I apologize...

Mr. Clarke...

We have been using this configuration for the past several months with apparent success.  Thanks again for taking the time to do this.  I have found a small glitch that we came across and I have not been able to solve as yet and maybe you might be able to shed some light.

The issue I have come across is that during the Preauth state and BEFORE the Sponsored state, the session timeout is set to 10 minutes, however, after the 10 minute period, it appears that the MAC-Guest-Check:MAC-Expires reaches 0 or a negative number, the session timeout value is set to a very large number which in essence never expires the session. (see attached).  Any insight would be helpful to address this would be appreciated as I have tried several avenues unsuccessful with my limited ClearPass knowledge.

 


Much appreciated

M

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: Clearpass Guest - Self registration & self sponsorship (email address validation) - August-M

Hi,

 

As I mentioned, the solution may have some flaws.  Thank you for spotting this.

 

I couldn't open the attachment.  can you reattach please.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: