Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Client Auth/Authorization via CPPM to AD, Registry Key, DHCP scope by AD membership

This thread has been viewed 0 times

  • 1.  Client Auth/Authorization via CPPM to AD, Registry Key, DHCP scope by AD membership

    Posted Mar 05, 2014 09:04 PM

    Hi Team,

     

    I'm currently working on a configuration entailing WLC and ISE where the customer wants a single SSID,and wants his wireless clients to authenticate successfully if they pass a registry key compliance.  Additionally, they want clients to received a different IP address or get mapped to a different DHCP scope based on the Microsoft AD group they belong too. for example:

     

    • Client authenticating with registry key and in AD group ABC that passes authentication gets IP address or subnet for belonging to their specific AD group ABC.

     

    • Client authenticating with registry key and in AD group XXX that passes authentication gets an IP address or subnet belonging to their specific  AD group XXX.

    Is this doable?  Can we mapp users to specific DHCP scopes based on AD memberships, and if so how, what attributed need to be tagged or exchange between CPPM and MS AD and not sure if the WLC would also need any specific configs to enable this?

     

     

    Clients---->WLC------>CPPM-----> MS AD ( groups ABC, XXXX, YYY )

     

    currently using EAP-PEAP/MSCHAPv2

     

    Does anyone have any idea or pointers or can refer me somewhere that I can read on how to accomplish this?  Not sure on how to do the registry compliance check nor what attributes will allow me to map the client to a DHCP Scope based on this AD group membership? 

     

    Thanks...



  • 2.  RE: Client Auth/Authorization via CPPM to AD, Registry Key, DHCP scope by AD membership

    EMPLOYEE
    Posted Mar 05, 2014 09:08 PM

    You will need the ClearPass OnGuard or Enterprise license to check and/or remediate registry keys.

     

    You have two options for checking AD group membership:

    1. Role Mapping

      - This option tags an internal ClearPass role. For example, if you were checking for an AD group called HR, you could create a ClearPass TIPS role called USER_HR which could be reused in other services and other decisions. This data can also be cached for X amount of time.

    2. Direct check in enforcement policy

      - This option will check membership for every authentication request and can make your enforcement policy a litte bit more complicated.

    You can then use this information to map the device to a VLAN (DHCP scope) 

     

    Scenario 1:

     

    rm1.PNG

     

    vlan1.PNG

     

    enf1.PNG

     

     

    Scenario 2:

     

    enf2.PNG



  • 3.  RE: Client Auth/Authorization via CPPM to AD, Registry Key, DHCP scope by AD membership

    Posted Mar 05, 2014 09:57 PM

    In addition to Tim setup you can do the following with Onguard:

    Define the Posture Policy

    2014-03-05 21_49_09-ClearPass Policy Manager - Aruba Networks.png

    2014-03-05 21_49_09-ClearPass Policy Manager - Aruba Networks.png

    2014-03-05 21_48_07-ClearPass Policy Manager - Aruba Networks.png

     

    You could create a Web Auth service that requires authentication with AD and you can use it with either Persistent Agent or dissolvable agent

     

    2014-03-05 21_48_07-ClearPass Policy Manager - Aruba Networks.png

     

    Persistent Agent

     

    2014-03-05 21_55_15-ClearPass Policy Manager - Aruba Networks.png

     

    Dissolvable 

     

    2014-03-05 21_56_11-ClearPass Policy Manager - Aruba Networks.png