Security

Reply
MVP
Posts: 952
Registered: ‎04-13-2009

Clearpass Service Question

Hi All,

 

I've playing around with Clearpass in my lab and want to configure the following using a single SSID.

 

Device

Onboarded Status

User

Aruba Role

Domain laptop

n/a

none (pre-user login)

machine-auth

Domain laptop

n/a

non accounts user

no-accounts

Domain laptop

n/a

accounts user

auth-accounts

Mobile device

no

any domain user

cppm-onboard-logon

Mobile device

yes

any domain user

byod-restricted

Non-domain laptop

no

any domain user

cppm-onboard-logon

Non-domain laptop

yes

any domain user

byod-restricted

 

 

I’ve got the onboarding of mobile and non-domain laptops working. Also the domain laptop machine authentication is working.

 

I'm just unsure configure a service to get domain user on a domain machine mapped to different roles based on their AD group membership without catching clients that should be onboarded.

 

Any tips?

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: Clearpass Service Question

I would use a role map vs. an enforcement policy for something this complex.  You can map multiple attributes to a "role" within CPPM and then in the enforcement policy:

 

IF TIPS:ROLE EQUALS XYZ THEN Send back Aruba role 123.

 

So...in your example, you can start to use attributes like 

 

IF TIPS:Role == "Machine Authenticated" 

AND

IF Authentication:AD memberof == AD user group

THEN

TIP:ROLE IS ROLE_X

 

Hope this starts to help.  Please clarify your question a bit more as I was trying to understand what you wanted.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Clearpass Service Question

Does the trick come in when the user authenticates?

 

The machine and the user authenticate separately so the '[Machine Authenticated]' role isn't available at the time that the user authenticates for evaluation.

 

Could you set an attribute in the Endpoint attribute that gets updated when the machine authenticates. Then when the user authenticates you check the Endpoint database for the status of this attribute.

 

cappalli describes it in more detail here

MVP
Posts: 952
Registered: ‎04-13-2009

Re: Clearpass Service Question

Thanks guys.

 

I did it the way that Seth suggested. It was far easier than I thought it would be!

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Clearpass Service Question

Can you give a little more detail into how you did it.

I wasn't exactly sure what he ment by the ability to map multiple attributes to a single role.

MVP
Posts: 952
Registered: ‎04-13-2009

Re: Clearpass Service Question

Sure. 

 

I created the TIPs role called IRAS Accounts then created role mapping for it  like so:

 

cppm-accounts.JPG

 

 

Below is my onboard provisioning service - enforcement tab.

 

Conditions 4-6 are standard onboarding ones. I added the ones above.

 

cppm-iras.JPG

 

i hope that helps.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Clearpass Service Question

[ Edited ]

That is interesting. Thank you for the post.

 

Sorry to ask another question!

Are the requests being handled by rule number 2 just requests from a computer authentication attempt?

Or both a user and computer?

 

Nevermind sorry!

I understand what's going on now.

 

We did some work on our CPPM on Friday which has messed with some of the results in the Access Tracker.

I just had a new client connect and now the rule makes total sense!

 

Thanks again!

MVP
Posts: 952
Registered: ‎04-13-2009

Re: Clearpass Service Question

Number 1 is for all other AD users, who are connecting on a domain machine.

 

Number 2 is for users who are in the Accounts AD group, who are connecting on a domain machine.

 

Rule number 3 handles machine authentication before user login.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: Clearpass Service Question

Yeah that makes sense now.

 

I was looking at some authentication requests from Friday that were a little messed up because we had some problems with our CPPM on Friday.

 

So for all the client requests they were missing the '[Machine Authenticated]' role .

I just had a new client connect where both the computer and user authenticated.

 

And in the client request it contained the two roles [Machine Authenticated], and [User Authenticated]

which now makes everything make sense.

 

I apologize for my confusion!

MVP
Posts: 952
Registered: ‎04-13-2009

Re: Clearpass Service Question

No problem. :smileywink:

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: