Security

Guys,

 

I am a little confused on Clearpass service configuration.

I create a service "Acessos 802.1x" to configure two SSid´s with 802.1x.

Its working good as in the screenshots.
When I connect with 802.1x for Enterprise i get a role and when I connect to Protocolo I get other role. This is configured on Clearpass.

Now on the same " Acessos 802.1x" Service,  i need to add one role or policy for  Iphones when they connect via 802.1x( AD) . The objective is to force Iphones to go to a guest role that is in Aruba Controller. not working


Also  I need to add to This 802.1x service a MAC list of authorized PC´s  ( Static list PC´s Protocolo created already). This list is to add to MNE_Protocolo ssid ( only this mac´s listed can connect to the SSId).


Can I do this under Acessos 802.1x service at once?


Acessos 802.1x should have :

enforcement for Iphones or androids to go to guest role
enforcement for  limit access to ssid MNE_Protocolo to a Static mac List.
enforcement for ssid A  to go to role A ( its ok and done)
enforcemente for ssid B to go to role B ( its ok and done)

I would not put all of your ssid’s in a single service.  Yes it can work but now you have less flexibility to make change without affecting all of your SSIDs.  Create a service for each of your SSID’s. You will be happier when something breaks.

Under your service rule change line 3

 Radius:Aruba   Aruba-ESSID-Name    EXISTS

Change to:     

Radius:Aruba    Aruba-ESSID-Name    EQUALS <specific name of the SSID>

 

 

 

Your Services –Accessos 802.1x MNE ENFORCEMENT screen shot

            Line 1: the device type will not begin with iphone it is “Apple Iphone”

Please look at my screen shot iphone policy.

 

Mac filtering. You will need a separate policy for this also.

Are you using a controller? What version of code? There are some differences in how mac authentication works.

You have more than one question on this post lets take it one at a time.

Separate the services out first.

Make changes to your iphone/android

then we can deal with the mac auth request. 

Hi ddipert,

 

Thanks for your help..

 

1. Separate the services first

 

You are saying that I should create another 802.1x service for the other SSid? Similar to the one that already exists, but change the radius atribute to "equals" 

 

2. Make changes to your iphone/ android

 

Ok. I will try it. Iwas picking the iPhone expression from radius request on access tracker...

 

 

3. then we can deal with mac auth request

 

I think i solve this one, by enabling mac auth on AAA profile. Its working ok but i need to enter in internal DB 60 mac´s by hand.. Not an issue :)

 

Thanks

 

Regards

 

Please avoid mac auth whenever you can! 

You WILL fail at maintaining it. :P

 

A much better sollution would be to use the endpoint repository which already classifies iphones and other smartdevices.

 

Here's an example of what you could use to give smartdevices a different role without having to keep a list manualy:

 

In your role mapping policy add the following:

(Authorization:[Endpoints Repository]:Category  EQUALS  SmartDevice) 

 

Then in your enforcement policy add something to use that new role and apply the enforcement profile:

POLICY: (Tips:Role  EQUALS  SmartDevice)

and the attached PROFILE: Radius:ArubaAruba-User-Role = smartdevice-role

 

If you realy want to give only the iphone a different role change the "Category  EQUALS  SmartDevice" to "Device Name EQUALS Apple iPhone".

Hi,
The objective is not for smart devices.
i have a static mac host list created but is for windows PC.

We need to create a ssid and only permit that static list alreaady created in clearpass.

---

@beconnect wrote:
Hi,
The objective is not for smart devices.
i have a static mac host list created but is for windows PC.

We need to create a ssid and only permit that static list alreaady created in clearpass.

---

Beconnect,

 

I have to agree strongly with Koenv on this one.  If you have Windows PCs that are part of a domain, you should use machine authentication to differentiate those devices instead of a mac address list.  The post here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Enforce-Machine-Authentication/m-p/58918/highlight/true#M4585 shows you how can do that.

 

Hi,

We have 2 ssids created.

For one of them we need force that only 30 machines mac addresses connect to the wifi.

I create the aruba service but i am missing how i can force clearpass to check whether mac address is valid or not...

---

@beconnect wrote:
Hi,

We have 2 ssids created.

For one of them we need force that only 30 machines mac addresses connect to the wifi.

I create the aruba service but i am missing how i can force clearpass to check whether mac address is valid or not...

---

1. - You need to create two roles within CPPM that would apply to each situation.  Go to Identity> Roles to create both.

2. - In your service, you need to create a role mapping policy that checks to see if the user's mac address belongs to that static host list AND is connecting using that SSID.  In the example below, the role mapping policy checks to see if the calling-station-ID (incoming mac address) is in the static host list "authorized-mac-addresses" and the SSID that the user is connecting to is "Thatssid".  If both of those situations exist, it tags the incoming authentication with the role of "Role-1"

 

3.  Later in your enforcement policy you can check to see if the user's authentication is classified with the CPPM role of Role-1, you permit them with the Radius Allow access profile:

 

Hi

Thanks for your explanations;)
Ssid was already created, I just need separate two services for two different ssids. I was just missing what role to create to check macs that belong to the static list on the clearpass;)

One service has a policy to an ssid and then authenticated role.

Other service has a policy going to another ssid and only permits the static host list

Nice. I will try tomorrow:) and let you guys know.

Hi,

 

I create two rules under service and all is working ok.

 

I don´t have the need to create role mappings or policies...

 

I just create directly under de service and its working.

 

For one ssid with does mac control and essid check.

 

For the other only checks for essid name

 

IS this correct ?

 

Regards

It is just a matter of style.

 

If you create the rules under Service, anything that does not match those rules will skip to the next service.  So you will have to create a different Service to handle everything else.  If you handle it under roles, you have the option to handle more in the same service.

 

You can do it either way based on what you are confortable with:  If it is more logical for you to have different services to handle different services, you can certainly do it that way.

 

Hi cjoseph

 

I am trying also with roles but I can´t insert another role for Iphones

 

I already put authentication endpoint Iphone inside the corporate service, but not working..

 

The idea is to force that if the device is Iphone or android, even though they are connecting with AD , they go to guest role istead of corporate.

 

 

  I think my head is not working regarding roles,rules , enforcement profile.. thats why is not working :)

 

Errrr...

 

It works if I put direclty under service but is limited as you say..

 

 

 

Regards

---

@beconnect wrote:

Hi cjoseph

 

I am trying also with roles but I can´t insert another role for Iphones

 

I already put authentication endpoint Iphone inside the corporate service, but not working..

 

The idea is to force that if the device is Iphone or android, even though they are connecting with AD , they go to guest role istead of corporate.

 

 

  I think my head is not working regarding roles,rules , enforcement profile.. thats why is not working :)

 

Errrr...

 

It works if I put direclty under service but is limited as you say..

 

 

 

Regards

---

How are you tagging corporate devices with the corporate role?  There has to be something in the Role Mappings looking for something and tagging those devices with that role.

 

If you want to separate corporate vs. non-corporate, it is much easier to check a device for the built-in [Machine Authenticated] role in the enforcement policy and then send back an enforcement profile to the controller with a VLAN or Aruba Role corporate devices.  You can then make the default enforcement profile something that sends back the guest VLAN or role.

 

 

 

Hi,

 

I assume the confusion is in my head. Reading cppm guide should clarify...

 

AS I understand Policy manager after handshake on authentication method, checks for:

 

1. Role Mapping policy 

2.  apllies enforcement policy

3.send enforcement profile to the switch.

 

Based on this and assuming I am correct ;), I have made some improvements and now I  need only one Ssid "Enterprise"s

 

1. Create a role mapping policy corporate

 

a. with rule for vlan A and  assume a role A

 

b. if belong to group static host list  and then go to Vlan B and Role B.

 

c. adding also endpoint equals apple iphone or android goes to a role guest

 

Am I correct and less confusing now?

 

 Could  a,b,c  be done under one service only ? 

 

Basically if the user mac address is on the static list it goes to vlan B and Role B.

 

If not goes to Vlan A and role A.

Regards

---

@beconnect wrote:

Hi,

 

I assume the confusion is in my head. Reading cppm guide should clarify...

 

AS I understand Policy manager after handshake on authentication method, checks for:

 

1. Role Mapping policy 

2.  apllies enforcement policy

3.send enforcement profile to the switch.

 

Based on this and assuming I am correct ;), I have made some improvements and now I  need only one Ssid "Enterprise"s

 

1. Create a role mapping policy corporate You only need one role mapping policy which will contain all of your rules.

 

a. with rule for vlan A and  assume a role A

 

b. if belong to group static host list  and then go to Vlan B and Role B.

 

c. adding also endpoint equals apple iphone or android goes to a role guest

 

Am I correct and less confusing now?

 

 Could  a,b,c  be done under one service only ? 

 

Basically if the user mac address is on the static list it goes to vlan B and Role B.

 

If not goes to Vlan A and role A.

Regards

---

1.  You only need/can configure a single role mapping policy in a service, and you place all of your rules in there.  An incoming authentication can be tagged with a number of CPPM roles in the role mapping policy to make a decision on later.  For example, I have a CPPM Student Role, A Teacher Role and a  created in CPPM under Identity> Roles.  I then write a role mapping policy in the service to detect if a user is a teacher, tag him with the teacher role.  If he is a student, tag him with the student role.    They both look at the memberOf attribute to see if the incoming username is a member of that group.  If the device is an Apple Device, I tage it with the iPhone role.  If the OS of the device is an Android then I tag it with that.  Since I used "Select all matches", it will be able to tag Student,Iphone or Teacher, iPhone or any combination.

 

2.. Later in my enforcement policy, I want to tie this together:

 

I check to see if anybody has the "Android" role.  if they do, I send them the Guest Caching Enforcement policy, which in the background sends the guest role back to the controller.  The role on the controller will switch that device to the guest VLAN.

I check to see if the user is a teacher AND has machine authenticated (built-in role), and if that is the case, I just allow all, which will place him into the VLAN on the virtual AP on the internal network.  Does that make sense?

 

Ok... ;)

 

it makes sense ..

 

 

So roles created in CPPM (student role or teacher role )  are only  used for conditions purpose under enforcement.. as you said only to make a later decision..

 

Is also possible on the enforcement to add an action to force vlan correct?

 

Role mapping policy

So on the mapping rules i will put one for the static mac list - name " MAC" role

one for endpoints for iphone and android - name iphone and android roles

 

 

Then on enforcement I will say that tips role :MAC goes to action " a role that already exists on controller"

 

Ok..
I should try it tomorrow.

 

Regards and thanks for or patience.. still catching with clearpass;)

---

@beconnect wrote:

Ok... ;)

 

it makes sense ..

 

 

So roles created in CPPM (student role or teacher role )  are only  used for conditions purpose under enforcement.. as you said only to make a later decision..

 

Is also possible on the enforcement to add an action to force vlan correct?  In the Enforcement profile, you are allowed to send back a role, or a VLAN through an Aruba attribute to force that connect.  In 802.1x, since the client does not have an ip address or even a link before he or she authenticates, you can send back any VLAN or role that you want and the client will be placed on that VLAN.

 

Role mapping policy

So on the mapping rules i will put one for the static mac list - name " MAC" role

one for endpoints for iphone and android - name iphone and android roles.  It depends what you want to do.  If I just wanted to compare a client's mac address to a static host list and tag it with a role called domain, below is what i would do:  By the way the OS comparison is unreliable, because the client would have had to already gotten an ip address and be in the endpoint table for the endpoint to be even known.  If you are using 802.1x and the client is authenticating for the first time, this is NOT known, because in 802.1x  the client does not get an ip address until it authenticates.  Consider a better method of classifying those devices.

 

 

Then on enforcement I will say that tips role :MAC goes to action " a role that already exists on controller"

The enforcement profile can send back an Aruba Radius Attribute:

 

Ok..
I should try it tomorrow.

 

Regards and thanks for or patience.. still catching with clearpass;)

---

 

Hi,

 

Finally it seems done and ok

 

Thanks cjoseph.. you are the men ( and also reading Cppm user guide with patience ).

 

Now I have one ssid enterprise that could go to several roles or vlan  based on what is configured in clearpass

 

Also if it is an iphone goes to guest also..

 

Phase 1 completed. Now phase 2 for clearpass guest module configuration with captive portal:))

 

Regards and many thanks

Those role mappings look Okay.

Wow, that expklanation fo 'select all matches' solved my confusion.

 

Now, if only this information was in ANY of the clearpass documentation. What is there suggests this is a logical AND operation which just does not make sense.