Security

Hi All,

I've playing around with Clearpass in my lab and want to configure the following using a single SSID.

I’ve got the onboarding of mobile and non-domain laptops working. Also the domain laptop machine authentication is working.

I'm just unsure configure a service to get domain user on a domain machine mapped to different roles based on their AD group membership without catching clients that should be onboarded.

Any tips?

Cheers

James

I would use a role map vs. an enforcement policy for something this complex.  You can map multiple attributes to a "role" within CPPM and then in the enforcement policy:

IF TIPS:ROLE EQUALS XYZ THEN Send back Aruba role 123.

So...in your example, you can start to use attributes like 

IF TIPS:Role == "Machine Authenticated" 

AND

IF Authentication:AD memberof == AD user group

THEN

TIP:ROLE IS ROLE_X

Hope this starts to help.  Please clarify your question a bit more as I was trying to understand what you wanted.

Does the trick come in when the user authenticates?

The machine and the user authenticate separately so the '[Machine Authenticated]' role isn't available at the time that the user authenticates for evaluation.

Could you set an attribute in the Endpoint attribute that gets updated when the machine authenticates. Then when the user authenticates you check the Endpoint database for the status of this attribute.

cappalli describes it in more detail here

Thanks guys.

I did it the way that Seth suggested. It was far easier than I thought it would be!

Can you give a little more detail into how you did it.

I wasn't exactly sure what he ment by the ability to map multiple attributes to a single role.

Sure. 

I created the TIPs role called IRAS Accounts then created role mapping for it  like so:

Below is my onboard provisioning service - enforcement tab.

Conditions 4-6 are standard onboarding ones. I added the ones above.

i hope that helps.

That is interesting. Thank you for the post.

Sorry to ask another question!

Are the requests being handled by rule number 2 just requests from a computer authentication attempt?

Or both a user and computer?

Nevermind sorry!

I understand what's going on now.

We did some work on our CPPM on Friday which has messed with some of the results in the Access Tracker.

I just had a new client connect and now the rule makes total sense!

Thanks again!

Number 1 is for all other AD users, who are connecting on a domain machine.

Number 2 is for users who are in the Accounts AD group, who are connecting on a domain machine.

Rule number 3 handles machine authentication before user login.

Yeah that makes sense now.

I was looking at some authentication requests from Friday that were a little messed up because we had some problems with our CPPM on Friday.

So for all the client requests they were missing the '[Machine Authenticated]' role .

I just had a new client connect where both the computer and user authenticated.

And in the client request it contained the two roles [Machine Authenticated], and [User Authenticated]

which now makes everything make sense.

I apologize for my confusion!

No problem. :smileywink:

Glad you got it working!  Some other things you can play around with are auth sources and types.  For example, in addition to the attributes you used for the CPPM role, think about the possibilities of used Auth method = TLS or PEAP and/or auth source = AD server A or B.  When you then have the ability to layer in profile information on top of all this, you can see how granular you can get!  

Another good one is client mac address BELONGS_TO_GROUP using a regular expression or list of static hosts.  Pretty cool for whitelisting an OUI or something.

Here's an example from my lab:

thanks SethFiermonti!

Good examples to experiment with.

We used some very similar in our deployment. We have a bunch of different auth sources we have to deal with for some of our employees visiting from other locations. We use multiple AD auth source's to determine where they are coming from and the role to give them.

The flexibility of the CPPM is really awesome!

Cheers