Security

Reply
New Contributor

Clearpass MAC AUTH with AD as authentication source limiting two MAC address per user

Hi 

 

I am trying to create a service which authenticates AD as an authentication source for MAC Auth and 802.1x.

 

How to create a policy and enforce ment profile to allow clearpass check the calling station ID of the AD user name as an attribute for validating the MAC ID of that particular user before allowing access.

 

Thanks

MVP

Re: Clearpass MAC AUTH with AD as authentication source limiting two MAC address per user

Greetings!

 

I assume you have the mac-address entered into a field in the AD account. This field you have to extract during authentication, and use for authorization.

It's a tad tricky, but definately doable if you have some insight to your AD and SQL. Should be roughly something like this:

 

Navigate to Authentication Source, create a copy of your AD auth source. This new one is the one you will use in your service so as not to ruin anything in production. (or create a copy you can revert to if you mess up the production one ;)

 

Edit the new Auth Source. Click on the Authentication Filter. If you already know the name of the mac-add field, enter it similar to the other fields in here under "Configuration" (Alias and the field-name as string). If you're not sure of the name of the field, click the tab Attributes and you should be able to find this here.

->> Click Save after completion.

 

Ok - now you have a few ways to do this, but the most direct way is to edit your enforcement policy. In the rule that matches your user/machine authentication add in a line like this:

Type=Authorization:AD-SOURCE

Name=MAC-ALIAS (as you entered in the auth-source)

Operator=EQUALS

Value=%{Radius:IETF:Calling-Station-Id}

 

Now - you need to make sure they are input exactly the same. If you store the mac-address in AD differently than what your NAS sends, then you want to use a different value to check against. If you NAS sends UPPERCASE with hyphen - then you do this:

Value=%{Connection:Client-Mac-Address-Upper-Hyphen}

 

Check a 1x authentication record in your Access Tracker under Computed Attributes to find the different variations to use. One of this SHOULD match what you input in the AD-field ;)

 

Good luck and shout out if you need any further assistance!


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
New Contributor

Re: Clearpass MAC AUTH with AD as authentication source limiting two MAC address per user

Hi John Solberg,

 

Greetings!!!!

 

I found out the a way to work this out something similar the same way you have advised.

 

Just created a new attribute in AD (msNPCallingStationID)

 

On the enforcement policy have created

 

Type=Authorization:AD-SOURCE

Name=msNPCallingStationID(Attribute value created in AD)

Operator=EQUALS

Value=%{Radius:IETF:Calling-Station-Id}

 

It worked out like a charm, thank you for the quick response.

 

Thanks,

Lokesh

 

 

 

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: