Security

Reply
MVP
Posts: 561
Registered: ‎11-28-2011

Clearpass automatic local account creation, from external database authentication.

Hello all,

 

Consider the scenario where a Clearpass Guestconnect server is authenticating self-registering guests locally, and then backing off "unknown" user login attempts to an external active directory or radius proxy back-end. I've already got this working, but hit a couple of challenges.

 

Also note quite importantly that we're making use of mac-caching in this case, and limiting the device count to 1 per user.

 

When an AD user connects, they authenticate into AD just fine. In addition, a mac-cache device gets added (good so far). The AD user themselves however, is not added dynamically to the local user account list. As a consequnce of this, if the user turns off their device, and then later connects another device using the same AD credentials (assuming the active session has timed-out), they can "work-around" the device limit we've imposed on the system of 1.

 

Does anybody know if there is a function to have Clearpass Guestconnect automatically "inherit" or "import" a user account when it leverages an external/back-end server? I can't think of a reason this wouldn't be feasible, as the password is carried by PAP in this case?

 

Also, for more kudos, is there a way to stop Clearpass backing off the mac-auth attempts to a back-end/external server? I.e. the mac-auth is key to the mac-caching obviously, but ideally you only want these to be processed by Clearpass, and not handed off (as it appears to do when an external server is added).

 

Any thoughts please?

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Guru Elite
Posts: 20,017
Registered: ‎03-29-2007

Re: Clearpass automatic local account creation, from external database authentication.

[ Edited ]

Assuming you have a different SSID for guest vs. Corporate users,split the service into two services that have different rules based on SSID they come from:

 

In addition, you can check to see if it is an incoming mac authentication by comparing the Client-mac-address to username by using rule #2 below:

guest.PNG

 

I am QUITE sure that I did not answer all of your questions, but I still want to give you a direction..

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 561
Registered: ‎11-28-2011

Re: Clearpass automatic local account creation, from external database authentication.

Hi there!

 

I probably should have mentioned (sorry), that in this case, it's Clearpass GC 3.9 (Amigopod original looking).

 

Basically, this is because it's the Dell OEM version in use, and this is there most current version they (or rather you) port. I'm having some dialogue with Dell and Aruba TAC guys about where we ought to go with this next!

 

Thanks!

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: