Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎10-23-2012

Client Auth/Authorization via CPPM to AD, Registry Key, DHCP scope by AD membership

Hi Team,

 

I'm currently working on a configuration entailing WLC and ISE where the customer wants a single SSID,and wants his wireless clients to authenticate successfully if they pass a registry key compliance.  Additionally, they want clients to received a different IP address or get mapped to a different DHCP scope based on the Microsoft AD group they belong too. for example:

 

  • Client authenticating with registry key and in AD group ABC that passes authentication gets IP address or subnet for belonging to their specific AD group ABC.

 

  • Client authenticating with registry key and in AD group XXX that passes authentication gets an IP address or subnet belonging to their specific  AD group XXX.

Is this doable?  Can we mapp users to specific DHCP scopes based on AD memberships, and if so how, what attributed need to be tagged or exchange between CPPM and MS AD and not sure if the WLC would also need any specific configs to enable this?

 

 

Clients---->WLC------>CPPM-----> MS AD ( groups ABC, XXXX, YYY )

 

currently using EAP-PEAP/MSCHAPv2

 

Does anyone have any idea or pointers or can refer me somewhere that I can read on how to accomplish this?  Not sure on how to do the registry compliance check nor what attributes will allow me to map the client to a DHCP Scope based on this AD group membership? 

 

Thanks...

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: Client Auth/Authorization via CPPM to AD, Registry Key, DHCP scope by AD membership

[ Edited ]

You will need the ClearPass OnGuard or Enterprise license to check and/or remediate registry keys.

 

You have two options for checking AD group membership:

  1. Role Mapping

    - This option tags an internal ClearPass role. For example, if you were checking for an AD group called HR, you could create a ClearPass TIPS role called USER_HR which could be reused in other services and other decisions. This data can also be cached for X amount of time.

  2. Direct check in enforcement policy

    - This option will check membership for every authentication request and can make your enforcement policy a litte bit more complicated.

You can then use this information to map the device to a VLAN (DHCP scope) 

 

Scenario 1:

 

rm1.PNG

 

vlan1.PNG

 

enf1.PNG

 

 

Scenario 2:

 

enf2.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Client Auth/Authorization via CPPM to AD, Registry Key, DHCP scope by AD membership

In addition to Tim setup you can do the following with Onguard:

Define the Posture Policy

2014-03-05 21_49_09-ClearPass Policy Manager - Aruba Networks.png

2014-03-05 21_49_09-ClearPass Policy Manager - Aruba Networks.png

2014-03-05 21_48_07-ClearPass Policy Manager - Aruba Networks.png

 

You could create a Web Auth service that requires authentication with AD and you can use it with either Persistent Agent or dissolvable agent

 

2014-03-05 21_48_07-ClearPass Policy Manager - Aruba Networks.png

 

Persistent Agent

 

2014-03-05 21_55_15-ClearPass Policy Manager - Aruba Networks.png

 

Dissolvable 

 

2014-03-05 21_56_11-ClearPass Policy Manager - Aruba Networks.png

 

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: